From 42fa8581fc8585cd14f2e149a27a20ccc5d2c53c Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Fri, 20 Sep 2019 15:34:48 +0200 Subject: [PATCH] Add a security policy in our repo, remove outdated statement about versions --- SECURITY.md | 23 +++++++++++++++++++++++ docs/common/security-policy.rst | 6 ++---- 2 files changed, 25 insertions(+), 4 deletions(-) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..07543dee81 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,23 @@ +PowerDNS Security Policy +======================== + +If you have a security problem to report, please email us at both security@powerdns.com and ahu@ds9a.nl. +In case you want to encrypt your report using PGP, please use: +https://www.powerdns.com/powerdns-keyblock.asc + +Please do not mail security issues to public lists, nor file a ticket, unless we do not get back to you in a timely manner. +We fully credit reporters of security issues, and respond quickly, but please allow us a reasonable timeframe to coordinate a response. + +We remind PowerDNS users that under the terms of the GNU General Public License, PowerDNS comes with ABSOLUTELY NO WARRANTY. +This license is included in this documentation. + +HackerOne +--------- +Security issues can also be reported on [our HackerOne page](https://hackerone.com/powerdns) and might fetch a bounty. +Do note that only the PowerDNS software is in scope for the HackerOne program, not our websites or other infrastructure. + +Disclosure Policy +----------------- +- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. +- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. +- We will always credit researchers in our security advisories. diff --git a/docs/common/security-policy.rst b/docs/common/security-policy.rst index 6114a36560..6fef5efad9 100644 --- a/docs/common/security-policy.rst +++ b/docs/common/security-policy.rst @@ -2,16 +2,14 @@ PowerDNS Security Policy ------------------------ If you have a security problem to report, please email us at both security@powerdns.com and ahu@ds9a.nl. +In case you want to encrypt your report using PGP, please use: https://www.powerdns.com/powerdns-keyblock.asc + Please do not mail security issues to public lists, nor file a ticket, unless we do not get back to you in a timely manner. We fully credit reporters of security issues, and respond quickly, but please allow us a reasonable timeframe to coordinate a response. We remind PowerDNS users that under the terms of the GNU General Public License, PowerDNS comes with ABSOLUTELY NO WARRANTY. This license is included in this documentation. -As of the 9th of September 2016, no actual security problems with PowerDNS Authoritative Server 3.4.10, Recursor 3.6.3, Recursor 3.7.2, or later are known about. -This page will be updated with all bugs which are deemed to be security problems, or could conceivably lead to those. -Any such notifications will also be sent to all `PowerDNS mailing lists `_. - HackerOne ^^^^^^^^^ Security issues can also be reported on `our HackerOne page `_ and might fetch a bounty. -- 2.47.2