Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: Add security disclosure policy #1194

Merged
merged 3 commits into from
Mar 21, 2023
Merged
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
## Democratized Data Foundation Security Disclosure Policy

We value the work of well-intentioned security researchers in identifying security vulnerabilities. We adhere to the practice of responsible disclosure to protect users from the impact of security issues. This policy outlines our commitment to addressing security incidents and our expectations for responsible disclosure.


## Commitments

1. We respond to security incidents and address vulnerabilities.
2. We collaborate to establish a disclosure time frame for the reported vulnerability. During this time, we will either develop a fix or accept the risk, followed by disclosing the vulnerability.
3. We are transparent, ensuring that our community remains informed about incidents affecting them.


## Responsible Disclosure Process

If you have discovered a security vulnerability in our technologies, please disclose it responsibly by contacting us at [[email protected]](). We kindly ask that you refrain from discussing potential vulnerabilities in public without our prior validation.

Upon receiving a report, our security team will:

1. Review the report, verify the vulnerability, and respond with confirmation or requests for additional information. Our typical response time is within 24 hours.
2. Once the reported security bug has been addressed, we will notify the researcher, who may then optionally disclose the vulnerability publicly.

We currently do not offer bug bounties. The Democratized Data Foundation or organizations using our technologies may choose to provide such rewards in the future. We maintain a Hall of Fame to acknowledge those who have responsibly disclosed security issues.