Security Vulnerability Reporting for Commonhaus Foundation Projects

Reporting a Vulnerability

  1. Do Not Disclose Publicly: If you believe you've found a security vulnerability in a CF project, please do not post it in public places such as public issue trackers, mailing lists, or forums.

  2. Send Directly to Project Maintainers: Send all the pertinent details to the project maintainers directly. If they have a dedicated security email, use that. If not, contact the primary maintainers.

  3. Use Encryption: For an added layer of security, consider encrypting your message using the maintainer's PGP key if available.

  4. Provide Details: Clearly describe the nature and potential impact of the vulnerability. If possible, include steps to reproduce or proof of concept.

What Happens Next?

  1. Acknowledgment: Once we receive your report, the project team will acknowledge it, usually within 48 hours.

  2. Assessment and Mitigation: The vulnerability will be analyzed, and necessary patches or mitigations will be implemented.

  3. Credit: We respect the importance of security researchers. When the vulnerability is disclosed, we'll ensure you get proper credit unless you wish to remain anonymous.

Public Disclosure Timing

  1. Coordinated Disclosure: The timing of the public disclosure will be agreed upon with the reporter. Typically, it's done after a patch or mitigation strategy has been devised and shared with affected users.

  2. Regular Updates: The team will keep the reporter updated about the progress and expected disclosure timeline.

General Guidelines

  1. Act in Good Faith: This community is built on trust. Please act responsibly, avoid data destruction, service disruption, and privacy violation when researching vulnerabilities.

  2. Feedback: We're always open to feedback on this policy. If you have suggestions for improvement, feel free to share them.