diff --git a/SECURITY.md b/SECURITY.md index 15b866fa5..8db7de71a 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,21 +1,21 @@ -**Please contact us at [security@photoprism.app](mailto:security@photoprism.app) when you've discovered a potential security issue.** +# Security Policy -You are welcome to also report vulnerabilities in third-party applications that we may not be able to fix directly. +**Please contact us at [security@photoprism.app](mailto:security@photoprism.app) when you have discovered a potential security issue.** You are welcome to also report vulnerabilities in third-party applications that we may not be able to fix directly. At a minimum, your report should include the following: -* version and architecture -* vulnerability description -* reproduction steps +- version and architecture +- vulnerability description +- reproduction steps We will then try to reproduce the problem, determine the impact and get back to you as soon as possible. +Confirmed vulnerabilities will be fixed within 90 days, depending on the severity and whether third-party +packages are affected. + +**Responsible Disclosure:** + +1. Confirm that the vulnerability applies to a current version and is reproducible +2. First share the vulnerability details with us so that users are not put at risk +3. Wait before publishing details until everyone has had a chance to update *Avoid activities that disrupt, degrade, or interrupt our services or compromise other users' data, such as spam, brute force attacks, denial of service attacks, and malicious file distribution.* - -### Responsible Disclosure ### - -1. Confirm that the vulnerability applies to a current version -2. First share the vulnerability details with us -3. Wait for resolution before sharing details - -**Thank you!** 👍