-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
0a35bec
commit 6198ef5
Showing
1 changed file
with
35 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| # Security Policy | ||
|
|
||
| As a U.S. Government agency, the General Services Administration (GSA) takes | ||
| seriously our responsibility to protect the public's information, including | ||
| financial and personal information, from unwarranted disclosure. | ||
|
|
||
| Software developed by the U.S. General Services Administration (GSA) | ||
| is subject to the [GSA Vulnerability Disclosure Policy](https://www.gsa.gov/vulnerability-disclosure-policy). | ||
|
|
||
| Please consult our policy for: | ||
| * How to submit a report if you believe you have discovered a vulnerability. | ||
| * GSA's coordinated disclosure policy. | ||
| * Information on how you may conduct security research on GSA developed | ||
| software and systems. | ||
| * Important legal and policy guidelines. | ||
|
|
||
| ## Supported Versions | ||
|
|
||
| Please note that only certain branches are supported with security updates. | ||
|
|
||
| | Version (Branch) | Supported | | ||
| |------------------|--------------------| | ||
| | main | :white_check_mark: | | ||
| | other | :x: | | ||
|
|
||
| When using this code or reporting vulnerabilities please only use supported | ||
| versions. | ||
|
|
||
| ## Security Researchers | ||
|
|
||
| Security researchers shall: | ||
|
|
||
| * Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data. | ||
| * Only use exploits to the extent necessary to confirm a vulnerability. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to "pivot" to other systems. Once you've established that a vulnerability exists, or encountered any of the sensitive data outlined above, you must stop your test and notify us immediately. | ||
| * Keep confidential any information about discovered vulnerabilities for up to 90 calendar days after you have notified GSA. For details, please review Coordinated Disclosure. |