docs: add security policy #2127
+35
−0
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,35 @@ | ||||||
| # Tempest security policy | ||||||
|
|
||||||
| ## Reporting a security issue | ||||||
|
|
||||||
| If you think you have found a security issue within Tempest, don't create a GitHub issue and don't publish a pull request with proof of concept. In the first instance, report issues using [GitHub's security advisory reporting mechanism](https://github.com/tempestphp/tempest-framework/security/advisories/new), with as much information as you can provide, ideally including steps-to-recreate. Security reports submitted on this page are forwarded to the core maintainers only. | ||||||
|
|
||||||
| The core maintainers will determine whether this is classified as a security issue, and address it accordingly, or whether it is classified as a regular bug, and may ask you to raise a GitHub issue instead, at this time. | ||||||
|
Member
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| ## Resolution process | ||||||
|
|
||||||
| The core maintainers will aim to acknowledge and validate any reported security issue promptly. | ||||||
|
Member
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| Following the validation of a security issue, the core maintainers will broadly: | ||||||
|
Member
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| 1. Work on a patch and commit it to the repository via GitHub following the usual processes. | ||||||
|
|
||||||
| 2. Issue a release containing the security release. | ||||||
|
|
||||||
| 3. Consider offering a Rector automated fix within the release, where appropriate. | ||||||
|
|
||||||
| 4. Notify all subscribed Tempest parties via the usual channels (discord, blog, etc) that the updated is published. | ||||||
|
Member
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| ## Keeping Tempest secure | ||||||
|
|
||||||
| Several controls are in place to ensure that Tempest code releases are kept secure. | ||||||
|
|
||||||
| 1. All maintainers with write access to the repository use multi-factor authentication. | ||||||
|
|
||||||
| 2. Branch protection is configured on the repository. | ||||||
|
|
||||||
| 3. All access rights and privileges (including automated accounts, API keys) are assigned on a Principle of Least Privilege basis. | ||||||
|
|
||||||
| 4. Every pull request requires the successful completion of code quality and static analysis checks, and is reviewed by a core maintainer. | ||||||
|
|
||||||
| 5. Tempest actively upgrades dependencies based on deprecations and notices from upstream packages where used. | ||||||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.