From 5546523ffb47755d2a8adfdec7bef0f8653ac2bd Mon Sep 17 00:00:00 2001 From: Nathan Bailey Date: Tue, 14 Jan 2025 08:59:14 -0800 Subject: [PATCH] chore(docs): add SECURITY.md (#568) --- SECURITY.md | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..84196b06 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,32 @@ +# Security Policy + +## Reporting a Vulnerability + +At Kong, we take security issues very seriously. If you believe you have found a security vulnerability in our project, we encourage you to disclose it responsibly. Please report any potential security vulnerabilities to us by sending an email to [vulnerability@konghq.com](mailto:vulnerability@konghq.com). + +## How to Report + +1. **Do not publicly disclose the vulnerability**: Please do not create a GitHub issue or post the vulnerability on public forums. Instead, contact us directly at [vulnerability@konghq.com](mailto:vulnerability@konghq.com). +1. **Provide detailed information**: When reporting a vulnerability, please include as much information as possible to help us understand and reproduce the issue. This may include: + - Description of the vulnerability + - Steps to reproduce the issue + - Potential impact + - Any relevant logs or screenshots + +## What to Expect + +- **Acknowledgment**: We will acknowledge receipt of your vulnerability report within 48 hours. +- **Investigation**: Our security team will investigate the report and will keep you informed of the progress. We aim to resolve critical vulnerabilities within 30 days of confirmation. +- **Disclosure**: We prefer coordinated disclosure and will work with you to schedule the disclosure of the vulnerability in a way that minimizes the risk to users. + +## Bug Bounty Program + +We encourage security researchers to participate in our bug bounty program as outlined on the [Kong Vulnerability Disclosure](https://konghq.com/compliance/bug-bounty) page. This program provides rewards for discovering and reporting security vulnerabilities in accordance with our disclosure guidelines. + +Thank you for helping to keep Kong secure. + +For more information on our security policies and guidelines, please visit the [Kong Vulnerability Disclosure](https://konghq.com/compliance/bug-bounty) page. + +## Contact + +For any questions or further assistance, please contact us at [vulnerability@konghq.com](mailto:vulnerability@konghq.com).