1 | # Security Policies and Procedures
|
2 |
|
3 | This document outlines security procedures and general policies for the Connect
|
4 | project.
|
5 |
|
6 | * [Reporting a Bug](#reporting-a-bug)
|
7 | * [Disclosure Policy](#disclosure-policy)
|
8 | * [Comments on this Policy](#comments-on-this-policy)
|
9 |
|
10 | ## Reporting a Bug
|
11 |
|
12 | The Connect team and community take all security bugs in Connect seriously.
|
13 | Thank you for improving the security of Connect. We appreciate your efforts and
|
14 | responsible disclosure and will make every effort to acknowledge your
|
15 | contributions.
|
16 |
|
17 | Report security bugs by emailing the lead maintainer in the README.md file.
|
18 |
|
19 | The lead maintainer will acknowledge your email within 48 hours, and will send a
|
20 | more detailed response within 48 hours indicating the next steps in handling
|
21 | your report. After the initial reply to your report, the security team will
|
22 | endeavor to keep you informed of the progress towards a fix and full
|
23 | announcement, and may ask for additional information or guidance.
|
24 |
|
25 | Report security bugs in third-party modules to the person or team maintaining
|
26 | the module. You can also report a vulnerability through the
|
27 | [Node Security Project](https://nodesecurity.io/report).
|
28 |
|
29 | ## Disclosure Policy
|
30 |
|
31 | When the security team receives a security bug report, they will assign it to a
|
32 | primary handler. This person will coordinate the fix and release process,
|
33 | involving the following steps:
|
34 |
|
35 | * Confirm the problem and determine the affected versions.
|
36 | * Audit code to find any potential similar problems.
|
37 | * Prepare fixes for all releases still under maintenance. These fixes will be
|
38 | released as fast as possible to npm.
|
39 |
|
40 | ## Comments on this Policy
|
41 |
|
42 | If you have suggestions on how this process could be improved please submit a
|
43 | pull request.
|