From 52dc8431abf851969705d9e44df0d1510b32eccd Mon Sep 17 00:00:00 2001 From: mffap Date: Thu, 16 Mar 2023 09:52:12 +0200 Subject: [PATCH] docs: update security policies (#5452) * docs(legal): vulnerability disclosure policy * update security.md * exception * add link to sidebar * Apply suggestions from code review Co-authored-by: Florian Forster * use main for release channel * review * fallback emails * typos, wording --------- Co-authored-by: Florian Forster --- SECURITY.md | 62 +++++++----- .../legal/vulnerability-disclosure-policy.mdx | 96 +++++++++++++++++++ docs/sidebars.js | 1 + 3 files changed, 137 insertions(+), 22 deletions(-) create mode 100644 docs/docs/legal/vulnerability-disclosure-policy.mdx diff --git a/SECURITY.md b/SECURITY.md index d957d61233..76d07edb62 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,41 +1,59 @@ # Security Policy -At ZITADEL we are extremely grateful for security aware people who disclose vulnerabilities to us and the open source community. All reports will be investigated by our team. +## Introduction -## Supported Versions +At ZITADEL we are extremely grateful for security aware people who disclose vulnerabilities to us and the open source community. +All reports will be investigated by our team and we will work with you closely to validate and fix vulnerabilities reported to us. -| Version | Supported | -| ------- | ------------------ | -| 2.x.x | :white_check_mark: | -| 1.x.x | :white_check_mark: | -| 0.x.x | :x: | +We require that you keep vulnerabilities confidential until we are able to address them, since public disclosure of security vulnerabilities could put the ZITADEL community at risk. + +## Scope + +The scope of this policy applies to all security issues that concern our Product in form of Software in our [open source repositories](https://github.com/zitadel). + +Out of scope are all websites and services operated by ZITADEL (CAOS Ltd.). +Please refer to the separate [vulnerability disclosure policy](https://zitadel.com/docs/legal/vulnerability-disclosure-policy). + +### Supported Versions + +Supported are releases that are newer and not older than 6 months from our stable release +https://github.com/zitadel/zitadel/blob/main/release-channels.yaml#L1 ## Reporting a vulnerability -To file an incident, please disclose it by e-mail to security@zitadel.com including the details of the vulnerability. +To file an incident, please disclose it by e-mail to [security@zitadel.com](mailto:security@zitadel.com) including the following details of the vulnerability: + +- Target: ZITADEL, Website (zitadel.com), ZITADEL Cloud (zitadel.cloud), Other (please describe) +- Type: For example DoS, authentication bypass, information disclosure, broken authorization, ... +- Description: Provide a detailed explanation of the issue, steps to reproduce, and assumptions you have made +- URL / Location (optional): The URL of the vulnerability +- Contact details (optional): In case we should contact you on a different channel At the moment GPG encryption is no yet supported, however you may sign your message at will. -### When should I report a vulnerability +Your email will be acknowledged within 48 hours. +We will follow-up within the next 3 business days indicating next steps in handling your report. -* You think you discovered a - * potential security vulnerability in `ZITADEL` - * vulnerability in another project that `ZITADEL` is based on -* For projects with their own vulnerability reporting and disclosure process, please report it directly there +If you haven't received a response within 48 hours, or you didn't get a reply from our security team within the last 5 days, please contact [support@zitadel.com](mailto:support@zitadel.com). + +Please inform us in your report whether we should mention your contribution. +We will not publish this information by default to protect your privacy. ### When should I NOT report a vulnerability -* You need help applying security related updates -* Your issue is not security related +- Disclosure of known public files or directories, e.g. robots.txt, files under .well-known, or files that are included in our public repositories (eg, go.mod) +- DoS of users when [Lockout Policy is enabled](https://zitadel.com/docs/guides/manage/console/instance-settings#lockout) +- You need help applying security related settings -## Security Vulnerability Response +## Disclosure Process -TBD +Our security team will follow the disclosure process: -## Public Disclosure - -All accepted and mitigated vulnerabilities will be published on [ZITADEL's GitHub Security Page](https://github.com/zitadel/zitadel/security/advisories). - -### Timing +1. We will acknowledge the receipt of your vulnerability report +2. Our security team will try to verify, reproduce, and determine the impact of your report +3. A member of our team will respond to either confirm or reject your report, including an explanation +4. Code will be audited to assess if the report uncovers similar issues +5. Fixes are prepared for the latest release +6. On the date that the fixes are applied, we will create a CVE and publish a [security advisory](https://github.com/zitadel/zitadel/security/advisories). Affected users of our Product, Services, or Website will be informed of the fix and required actions. We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the disclosures the time frame can range from 7 to 90 days. diff --git a/docs/docs/legal/vulnerability-disclosure-policy.mdx b/docs/docs/legal/vulnerability-disclosure-policy.mdx new file mode 100644 index 0000000000..7b6cc85ebd --- /dev/null +++ b/docs/docs/legal/vulnerability-disclosure-policy.mdx @@ -0,0 +1,96 @@ +--- +title: Vulnerability Disclosure Policy +custom_edit_url: null +--- + +## Introduction + +At ZITADEL we are extremely grateful for security aware people who disclose vulnerabilities to us and the open source community. +All reports will be investigated by our team and we will work with you closely to validate and fix vulnerabilities reported to us. + +We require that you keep vulnerabilities confidential until we are able to address them, since public disclosure of security vulnerabilities could put the ZITADEL community at risk. + +ZITADEL (CAOS Ltd.) will not take legal action against you or terminate your access to our services, conditional that you report vulnerabilities in accordance to this policy. + +## Scope + +The scope of this policy applies to all Websites and Services operated by ZITADEL. + +All security issues that concern our Product in form of Software in our [open source repositories](https://github.com/zitadel), should be reported according to [Security Policy](https://github.com/zitadel/zitadel/blob/main/SECURITY.md). + +When in doubt about the scope of your vulnerability, please follow the process outlined in this policy. + +## Discovering a vulnerability + +Responsible security research on our Websites, Products, and Services is encouraged and we allow you to conduct testing on our services to which you have authorized access. + +You must not do research or testing that involves + +- Any activity that violates applicable law +- Modify or destroy any data that does not belong to you +- Accessing or attempt to access data that does not belong to you +- Executing denial of service attacks +- Executing load testing + +Exceptions may be granted after your initial report by a member of our security team. + +## Reporting a vulnerability + +To file an incident, please disclose it by e-mail to [security@zitadel.com](mailto:security@zitadel.com) including the following details of the vulnerability: + +- Target: ZITADEL, Website (zitadel.com), ZITADEL Cloud (zitadel.cloud), Other (please describe) +- Type: For example DoS, authentication bypass, information disclosure, broken authorization, ... +- Description: Provide a detailed explanation of the issue, steps to reproduce, and assumptions you have made +- URL / Location (optional): The URL of the vulnerability +- Contact details (optional): In case we should contact you on a different channel + +At the moment GPG encryption is no yet supported, however you may sign your message at will. + +Your email will be acknowledged within 48 hours. +We will follow-up within the next 3 business days indicating next steps in handling your report. + +If you haven't received a response within 48 hours, or you didn't get a reply from our security team within the last 5 days, please contact [support@zitadel.com](mailto:support@zitadel.com). + +Please inform us in your report whether we should mention your contribution. +We will not publish this information by default to protect your privacy. + +### What not to report + +- Disclosure of known public files or directories, e.g. robots.txt, files under .well-known, or files that are included in our public repositories (eg, go.mod) +- DoS of users when [Lockout Policy is enabled](https://zitadel.com/docs/guides/manage/console/instance-settings#lockout) +- Suggestions on Certificate Authority Authorization (CAA) rules +- Suggestions on DMARC/DKIM/SPF settings +- Suggestions on DNSSEC settings +- Phishing or Social Engineering Attacks +- Lack of security flags on non-sensitive cookies + +## Disclosure Process + +Our security team will follow the disclosure process: + +1. We will acknowledge the receipt of your vulnerability report +2. Our security team will try to verify, reproduce, and determine the impact of your report +3. A member of our team will respond to either confirm or reject your report, including an explanation +4. Code will be audited to assess if the report uncovers similar issues +5. Fixes are prepared for the latest release +6. On the date that the fixes are applied, we will create a CVE and publish a [security advisory](https://github.com/zitadel/zitadel/security/advisories). Affected users of our Product, Services, or Website will be informed of the fix and required actions. + +We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the disclosures the time frame can range from 7 to 90 days. + +## Bug Bounty / Compensation + +At this moment, we do not pay out monetary compensation for reporting security vulnerabilities. + +Please inform us in your report whether we should mention your contribution. +We will not publish this information by default to protect your privacy. + +In case we have confirmed your report, we may compensate you, given prior written approval by ZITADEL, for costs + +- incurred during research for using our paid services +- on time & material spend on analysis after confirming your report + +## Entry into force + +This privacy policy is valid from March 16, 2023. + +Last revised March 16, 2023 diff --git a/docs/sidebars.js b/docs/sidebars.js index 964cc6fd0a..d8d45b3a60 100644 --- a/docs/sidebars.js +++ b/docs/sidebars.js @@ -451,6 +451,7 @@ module.exports = { "legal/privacy-policy", "legal/acceptable-use-policy", "legal/rate-limit-policy", + "legal/vulnerability-disclosure-policy", ], }, ],