| 1 | # Atomist Open Source Security Policies and Procedures
|
| 2 |
|
| 3 | This document outlines security procedures and general policies for the
|
| 4 | Atomist Open Source projects as found on https://github.com/atomist.
|
| 5 |
|
| 6 | * [Reporting a Vulnerability](#reporting-a-vulnerability)
|
| 7 | * [Disclosure Policy](#disclosure-policy)
|
| 8 |
|
| 9 | ## Reporting a Vulnerability
|
| 10 |
|
| 11 | The Atomist OSS team and community take all security vulnerabilities
|
| 12 | seriously. Thank you for improving the security of our open source
|
| 13 | software. We appreciate your efforts and responsible disclosure and will
|
| 14 | make every effort to acknowledge your contributions.
|
| 15 |
|
| 16 | Report security vulnerabilities by emailing the Atomist security team at:
|
| 17 |
|
| 18 | security@atomist.com
|
| 19 |
|
| 20 | The lead maintainer will acknowledge your email within 24 hours, and will
|
| 21 | send a more detailed response within 48 hours indicating the next steps in
|
| 22 | handling your report. After the initial reply to your report, the security
|
| 23 | team will endeavor to keep you informed of the progress towards a fix and
|
| 24 | full announcement, and may ask for additional information or guidance.
|
| 25 |
|
| 26 | Report security vulnerabilities in third-party modules to the person or
|
| 27 | team maintaining the module.
|
| 28 |
|
| 29 | ## Disclosure Policy
|
| 30 |
|
| 31 | When the security team receives a security bug report, they will assign it
|
| 32 | to a primary handler. This person will coordinate the fix and release
|
| 33 | process, involving the following steps:
|
| 34 |
|
| 35 | * Confirm the problem and determine the affected versions.
|
| 36 | * Audit code to find any potential similar problems.
|
| 37 | * Prepare fixes for all releases still under maintenance. These fixes
|
| 38 | will be released as fast as possible to NPM.
|