summaryrefslogtreecommitdiffstats
path: root/docs/Netdata-Security-and-Disclosure-Information.md
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2019-02-08 07:31:03 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2019-02-08 07:31:03 +0000
commit50485bedfd9818165aa1d039d0abe95a559134b7 (patch)
tree79c7b08f67edcfb0c936e7a22931653b91189b9f /docs/Netdata-Security-and-Disclosure-Information.md
parentReleasing debian version 1.11.1+dfsg-7. (diff)
downloadnetdata-50485bedfd9818165aa1d039d0abe95a559134b7.tar.xz
netdata-50485bedfd9818165aa1d039d0abe95a559134b7.zip
Merging upstream version 1.12.0.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'docs/Netdata-Security-and-Disclosure-Information.md')
-rw-r--r--docs/Netdata-Security-and-Disclosure-Information.md39
1 files changed, 39 insertions, 0 deletions
diff --git a/docs/Netdata-Security-and-Disclosure-Information.md b/docs/Netdata-Security-and-Disclosure-Information.md
new file mode 100644
index 000000000..8e8a66afc
--- /dev/null
+++ b/docs/Netdata-Security-and-Disclosure-Information.md
@@ -0,0 +1,39 @@
+# Netdata Security and Disclosure Information
+
+This page describes netdata security and disclosure information.
+
+## Security Announcements
+
+Every time a security issue is fixed in netdata, we immediately release a new version of it. So, to get notified of all security incidents, please subscribe to our releases on github.
+
+## Report a Vulnerability
+
+We’re extremely grateful for security researchers and users that report vulnerabilities to Netdata Open Source Community. All reports are thoroughly investigated by a set of community volunteers.
+
+To make a report, please email the private [security@netdata.cloud](mailto:security@netdata.cloud) list with the security details and the details expected for [all netdata bug reports](../.github/ISSUE_TEMPLATE/bug_report.md).
+
+## When Should I Report a Vulnerability?
+
+- You think you discovered a potential security vulnerability in Netdata
+- You are unsure how a vulnerability affects Netdata
+- You think you discovered a vulnerability in another project that Netdata depends on (e.g. python, node, etc)
+
+### When Should I NOT Report a Vulnerability?
+
+- You need help tuning Netdata for security
+- You need help applying security related updates
+- Your issue is not security related
+
+## Security Vulnerability Response
+
+Each report is acknowledged and analyzed by Netdata Team members within 3 working days. This will set off a Security Release Process.
+
+Any vulnerability information shared with Netdata Team stays within Netdata project and will not be disseminated to other projects unless it is necessary to get the issue fixed.
+
+As the security issue moves from triage, to identified fix, to release planning we will keep the reporter updated.
+
+## Public Disclosure Timing
+
+A public disclosure date is negotiated by the Netdata team and the bug submitter. We prefer to fully disclose the bug as soon as possible once a user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to a few weeks. As a basic default, we expect report date to disclosure date to be on the order of 7 days. The Netdata team holds the final say when setting a disclosure date.
+
+[![analytics](https://www.google-analytics.com/collect?v=1&aip=1&t=pageview&_s=1&ds=github&dr=https%3A%2F%2Fgithub.com%2Fnetdata%2Fnetdata&dl=https%3A%2F%2Fmy-netdata.io%2Fgithub%2Fdocs%2FNetdata-Security-and-Disclosure-Information&_u=MAC~&cid=5792dfd7-8dc4-476b-af31-da2fdb9f93d2&tid=UA-64295674-3)]()