Security Vulnerability Reporting for Commonhaus Foundation Projects

Reporting a Vulnerability

1. Do Not Disclose Publicly: If you believe you've found a security vulnerability in a CF project, please do not post it in public places such as public issue trackers, mailing lists, or forums.

2. Send Directly to Project Maintainers: Send all the pertinent details to the project maintainers directly. If they have a dedicated security email, use that. If not, contact the primary maintainers.

   • GitHub: Report security vulnerabilities privately
   • GitLab: Use confidential issues

3. Use Encryption: For an added layer of security, consider encrypting your message using the maintainer's PGP key if available.

4. Provide Details: Clearly describe the nature and potential impact of the vulnerability. If possible, include steps to reproduce or proof of concept.

What Happens Next?

1. Acknowledgment: Once we receive your report, the project team will acknowledge it, usually within 48 hours.

2. Assessment and Mitigation: The vulnerability will be analyzed, and necessary patches or mitigations will be implemented.

3. Credit: We respect the importance of security researchers. When the vulnerability is disclosed, we'll ensure you get proper credit unless you wish to remain anonymous.

Public Disclosure Timing

1. Coordinated Disclosure: The timing of the public disclosure will be agreed upon with the reporter. Typically, it's done after a patch or mitigation strategy has been devised and shared with affected users.

2. Regular Updates: The team will keep the reporter updated about the progress and expected disclosure timeline.

General Guidelines

1. Act in Good Faith: This community is built on trust. Please act responsibly, avoid data destruction, service disruption, and privacy violation when researching vulnerabilities.

2. Feedback: We're always open to feedback on this policy. If you have suggestions for improvement, feel free to share them.