From 6b839c3c325b980a476665bd55ff35973815d667 Mon Sep 17 00:00:00 2001 From: Stefan Holderbach Date: Tue, 30 Jul 2024 16:08:24 +0200 Subject: [PATCH] Create security policy (#13486) --- SECURITY.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..bfd4f5bcd9 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,29 @@ +# Security Policy + +As a shell and programming language Nushell provides you with great powers and the potential to do dangerous things to your computer and data. Whenever there is a risk that a malicious actor can abuse a bug or a violation of documented behavior/assumptions in Nushell to harm you this is a *security* risk. +We want to fix those issues without exposing our users to unnecessary risk. Thus we want to explain our security policy. +Additional issues may be part of *safety* where the behavior of Nushell as designed and implemented can cause unintended harm or a bug causes damage without the involvement of a third party. + +## Supported Versions + +As Nushell is still under very active pre-stable development, the only version the core team prioritizes for security and safety fixes is the [most recent version as published on GitHub](https://github.com/nushell/nushell/releases/latest). +Only if you provide a strong reasoning and the necessary resources, will we consider blessing a backported fix with an official patch release for a previous version. + +## Reporting a Vulnerability + +If you suspect that a bug or behavior of Nushell can affect security or may be potentially exploitable, please report the issue to us in private. +Either reach out to the core team on our Discord server to arrange a private channel or use the GitHub vulnerability reporting form. +Please try to answer the following questions: +- How can we reach you for further questions? +- What is the bug? Which system of Nushell may be affected? +- Do you have proof-of-concept for a potential exploit or have you observed an exploit in the wild? +- What is your assessment of the severity based on what could be impacted should the bug be exploited? +- Are additional people aware of the issue or deserve credit for identifying the issue? + +We will try to get back to you within a week with: +- acknowledging the receipt of the report +- an initial plan of how we want to address this including the primary points of contact for further communication +- our preliminary assessment of how severe we judge the issue +- a proposal for how we can coordinate responsible disclosure (e.g. how we ship the bugfix, if we need to coordinate with distribution maintainers, when you can release a blog post if you want to etc.) + +For purely *safety* related issues where the impact is severe by direct user action instead of malicious input or third parties, feel free to open a regular issue. If we deem that there may be an additional *security* risk on a *safety* issue we may continue discussions in a restricted forum.