This document describes the Archway Security team's process for handling security issues.
IMPORTANT: Please DO NOT open public issues for security related matters, or discuss it in public forum or on social media.
All security issues should be reported via email to [email protected]. Email is delivered to the Archway Security team at Phi Labs.
Include the following details in the report:
- Your name;
- Your affiliation (if applicable);
- Technical description of the issue, including steps to reproduce;
- Explanation of who may be able to exploit this vulnerability and what the impact or implications may be;
- Whether this vulnerability is public or known to third parties. Please provide details where applicable;
Please notify the Archway Security team at the email above of existing public issues that may be of critical security importance. Please ensure to include the issue ID along with a short description / explanation of the security relevance.
Under the repository "Security" tab / Security Advisories you will find "Report a vulnerability". Please complete the provided form with as much details as possible.
For more information on GitHub private vulnerability reporting see this.
Best practices for writing repository security advisories can be found here.
Security researchers can also use the REST API to privately report security vulnerabilities. For more information, see "Privately report a security vulnerability" in the REST API documentation.
The Archway Security team will:
- Verify and confirm the issue;
- Determine affected versions and scope of impact;
- Conduct audits to find any potential similar and related issues;
- Prepare fixes for relevant in-production releases;
- Endeavor to communicate and coordinate with relevant ecosystem stakeholders, including the Archway communities, at the appropriate times;
Please assist the Archway Security team by following these guidelines:
- Allow a reasonable amount of time for the team to respond to and address the issue;
- Avoid exploiting any issues or vulnerabilities that you may become aware of;
- Demonstrate good faith by not disrupting the Archway's networks, data, services or communities;
Every effort will be made to handle and address security issues as quickly and efficiently as possible.