diff options
Diffstat (limited to '')
-rw-r--r-- | testing/xpcshell/node-ws/SECURITY.md | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/testing/xpcshell/node-ws/SECURITY.md b/testing/xpcshell/node-ws/SECURITY.md new file mode 100644 index 0000000000..0baf19a63b --- /dev/null +++ b/testing/xpcshell/node-ws/SECURITY.md @@ -0,0 +1,39 @@ +# Security Guidelines + +Please contact us directly at **security@3rd-Eden.com** for any bug that might +impact the security of this project. Please prefix the subject of your email +with `[security]` in lowercase and square brackets. Our email filters will +automatically prevent these messages from being moved to our spam box. + +You will receive an acknowledgement of your report within **24 hours**. + +All emails that do not include security vulnerabilities will be removed and +blocked instantly. + +## Exceptions + +If you do not receive an acknowledgement within the said time frame please give +us the benefit of the doubt as it's possible that we haven't seen it yet. In +this case please send us a message **without details** using one of the +following methods: + +- Contact the lead developers of this project on their personal e-mails. You can + find the e-mails in the git logs, for example using the following command: + `git --no-pager show -s --format='%an <%ae>' <gitsha>` where `<gitsha>` is the + SHA1 of their latest commit in the project. +- Create a GitHub issue stating contact details and the severity of the issue. + +Once we have acknowledged receipt of your report and confirmed the bug ourselves +we will work with you to fix the vulnerability and publicly acknowledge your +responsible disclosure, if you wish. In addition to that we will create and +publish a security advisory to +[GitHub Security Advisories](https://github.com/websockets/ws/security/advisories?state=published). + +## History + +- 04 Jan 2016: + [Buffer vulnerability](https://github.com/websockets/ws/releases/tag/1.0.1) +- 08 Nov 2017: + [DoS vulnerability](https://github.com/websockets/ws/releases/tag/3.3.1) +- 25 May 2021: + [ReDoS in `Sec-Websocket-Protocol` header](https://github.com/websockets/ws/releases/tag/7.4.6) |