We are committed to ensuring the security and privacy of our users and their data. This document outlines our approach to handling security vulnerabilities, best practices for reporting issues, and the procedures we follow to manage security incidents effectively across all our projects.
- Supported Versions
- Reporting a Vulnerability
- Our Commitment to Researchers
- Disclosure Policy
- Security Best Practices
- Incident Response
- Security Tools and Resources
- Contact Information
- Acknowledgments
We provide security updates for the following versions of our projects. Please ensure that you are using a supported version to receive timely security patches.
Version | Supported | End of Life |
---|---|---|
1.x | ✅ | TBA |
0.x | ❌ | Date |
Older versions may not receive security updates. We encourage all users to upgrade to the latest supported version.
If you discover a security vulnerability in any of our projects, please follow these steps to report it:
- Do not disclose the vulnerability publicly. Contact us directly via our security email at security@scape.agency.
- Provide a detailed report that includes:
- A clear description of the vulnerability.
- The impact it could have on users.
- Steps to reproduce the issue, including any relevant code snippets or screenshots.
- Any potential fixes or mitigations you have identified.
- Use the subject line "Security Vulnerability Report" for clear identification.
- We will acknowledge receipt of your report within 48 hours and begin our investigation.
- We may request additional information to assist with the investigation.
- Our goal is to address vulnerabilities within a maximum of 90 days from the date of disclosure, although critical issues may be prioritized for faster resolution.
We recognize the valuable role that security researchers play in maintaining the safety and security of our projects. To encourage responsible disclosure and collaboration, we commit to:
- Acknowledging and rewarding valid security reports with recognition in our release notes and a potential bounty (if applicable).
- Communicating with transparency and honesty about the status and progress of your reported issue.
- Ensuring that you are kept informed about our remediation plans and timelines.
We believe in a transparent approach to security and aim to disclose vulnerabilities in a responsible manner. Our disclosure policy includes:
- Public Disclosure Timeline: We aim to publicly disclose security vulnerabilities after a fix has been released, or within 90 days of the report, whichever is sooner.
- Credit: We will credit the reporter for their contributions in our release notes unless requested otherwise.
- Coordinated Disclosure: If a vulnerability affects other vendors or projects, we will coordinate with them to ensure that all parties are prepared to address the issue simultaneously.
We recommend the following best practices to enhance the security of your development and deployment processes:
- Regular Updates: Keep your software and dependencies up-to-date to receive the latest security patches.
- Access Control: Implement the principle of least privilege by restricting access rights to the minimum necessary for functionality.
- Data Protection: Encrypt sensitive data both in transit and at rest. Use strong encryption algorithms and regularly update encryption keys.
- Code Reviews: Conduct regular code reviews and security audits to identify potential vulnerabilities early.
- Use Security Tools: Leverage automated security tools to scan for vulnerabilities, such as SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing).
- Security Training: Provide ongoing security training for developers and IT staff to raise awareness of potential threats and vulnerabilities.
In the event of a security incident, we have established procedures to ensure a swift and effective response:
- Detection and Analysis: Upon discovering an incident, our security team will analyze the threat to understand its impact and scope.
- Containment: We will immediately contain the threat to prevent further damage.
- Eradication: The root cause of the incident will be identified and eradicated.
- Recovery: We will restore affected systems and services to normal operation.
- Communication: We will inform affected users and stakeholders about the incident and provide guidance on any necessary actions they should take.
- Post-Incident Review: A thorough review of the incident will be conducted to learn from the event and improve future responses.
To support your security efforts, we recommend the following tools and resources:
- OWASP Top Ten: A list of the most critical security concerns for web applications.
- NIST Cybersecurity Framework: A policy framework for computer security guidance.
- Snyk: A tool for finding and fixing vulnerabilities in your dependencies.
- Clair: A tool for static analysis of vulnerabilities in application containers.
- SonarQube: A platform for continuous inspection of code quality and security.
- Burp Suite: A comprehensive suite for web application security testing.
- Metasploit Framework: A tool for developing and executing security exploits.
For any security-related inquiries or reports, please email security@scape.agency and include the word "SECURITY" in the subject line.
We'll endeavor to respond quickly, and will keep you updated throughout the process.
We would like to express our gratitude to the following individuals and organizations for their contributions to our security efforts:
- [Researcher's Name] - For discovering and reporting [specific vulnerability].
- [Security Organization Name] - For providing valuable resources and support.
- Our dedicated community of users and developers who help us improve our projects every day.