From 7587337d8e5d5519796bfa218a791897ed76a9b5 Mon Sep 17 00:00:00 2001 From: Bret Mogilefsky Date: Mon, 6 May 2024 13:41:07 -0700 Subject: [PATCH] Add SECURITY.md Straight copy of https://github.com/GSA-TTS/.allstar/blob/main/SECURITY.md --- SECURITY.md | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..d7c8e64 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,45 @@ +# Security Policy + +As a U.S. Government agency, the General Services Administration (GSA) takes +seriously our responsibility to protect the public's information, including +financial and personal information, from unwarranted disclosure. + +## Reporting a Vulnerability + +Services operated by the U.S. General Services Administration (GSA) +are covered by the **GSA Vulnerability Disclosure Program (VDP)**. + +See the [GSA Vulnerability Disclosure Policy](https://gsa.gov/vulnerability-disclosure-policy) +at for details including: + +* How to submit a report if you believe you have discovered a vulnerability. +* GSA's coordinated disclosure policy. +* Information on how you may conduct security research on GSA developed + software and systems. +* Important legal and policy guidance. + +### [Bug Bounties](https://hackerone.com/gsa_bbp) + +Certain GSA/TTS programs have bug bounties that are not discussed at the above link. If you find security issues for any of the following domains: + +* 18f.gov +* cloud.gov +* fedramp.gov +* login.gov +* search.gov +* usa.gov +* vote.gov + +you should also review the [GSA Bug Bounty program](https://hackerone.com/gsa_bbp) at for a potential bounty. + +## Supported Versions + +Please note that only certain branches are supported with security updates. + +| Version (Branch) | Supported | +| ---------------- | ------------------ | +| main | :white_check_mark: | +| other | :x: | + +When using this code or reporting vulnerabilities please only use supported +versions.