-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' of https://github.com/UniversitaDellaCalabria/uniCMS
- Loading branch information
Showing
1 changed file
with
35 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| # Security Policy | ||
|
|
||
| We consider the security of our projects a top priority. | ||
| But no matter how much effort we put into security, there can still be vulnerabilities present. | ||
| If you discover a vulnerability in one of the projects directly developed by us, | ||
| we would like to know about it so we can take steps to address it as quickly as possible, | ||
| while protecting our users and their data. | ||
|
|
||
| ## Report a vulnerability | ||
|
|
||
| Give adequate information allowing the vulnerability to be reproduced, so we will be able to resolve it as quickly as possible. | ||
| In particular please include at least the following information: | ||
|
|
||
| - type of vulnerability; | ||
| - service or URL or IPs affected; | ||
| - requirements to reproduce the issue; | ||
| - information necessary to reproduce the issue; | ||
| - impact of the vulnerability together with an explanation of how an attacker could find it and exploit it. | ||
|
|
||
| ## Ethical Rules | ||
|
|
||
| - Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or by deleting or modifying other people’s data. | ||
| - Do not share the information about the vulnerability with others until it has been resolved. We will notify you when the security vulnerability has been fixed. | ||
| - Do not place a backdoor in a system. By placing a backdoor in a system, that system becomes even more insecure. | ||
| - Do not make changes to the system or application. | ||
| - Do not use Denial of Service attacks or brute force access. | ||
| - Do not use aggressive automated scanning. | ||
| - Do not use social engineering of our employees or contractors. | ||
|
|
||
| ## What we promise | ||
| - We will respond to your report within 7 business days with our evaluation of the report and an expected resolution date. | ||
| - If you have followed the instructions above, we will not take any legal action against you concerning the report. | ||
| - We will not pass on your personal details to third parties without your permission, unless it is necessary to comply with a legal obligation. Reporting under a pseudonym or anonymous is possible. | ||
| - We will keep you informed of the progress towards resolving the problem. | ||
| - In mutual consultation, we can mention (if you desire) your name or acronym as the discoverer of the reported vulnerability on our hall of fame. |