From dff6a4dff1dbc0de96f531eb9acded601d473cbc Mon Sep 17 00:00:00 2001 From: Roshan Krishnachandra Jha Date: Mon, 27 Jul 2020 09:59:20 +0530 Subject: [PATCH 1/2] SECURITY.md for better vulnerability reporting Security guidelines for better reporting of vulnerabilities --- SECURITY.md | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..8d3f72f62 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,77 @@ +# `SECURITY.md` - Responsible Security Disclosure README standard + +## Our security policy and Your responsibility +- **POLICY**: + +*Our security policy is to avoid leaving the ecosystem worse than we found it. Meaning we are not planning to introduce vulnerabilities into the ecosystem.* + +The "react-360" team and community take all security bugs in "react-360" seriously. Thank you for improving the security of "react-360". We appreciate your efforts and responsible disclosure and will make every effort to acknowledge your contributions. + +Report security bugs by emailing the lead maintainer Andrew Imm at [andrewi@fb.com] and include the word "SECURITY" in the subject line.. + +The lead maintainer will acknowledge your email within a week, and will send a more detailed response 48 hours after that indicating the next steps in handling your report. After the initial reply to your report, the security team will endeavor to keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance. + +- "react-360" will confirm the problem and determine the affected versions. +- "react-360" will audit code to find any potential similar problems. +- "react-360" will prepare fixes for all releases still under maintenance. These fixes will be released as fast as possible. + +Report security bugs in third-party modules to the person or team maintaining the module. + +- **SECURITY DISCLOSURE**: + +*Your responsibility is to report vulnerabilities to us using the guidelines outlined below.* + +Discuss how someone should disclose a vulnerability to "react-360", in tl;dr ( or ELI5 ) language. Then expand on this with "How To Disclose a vulnerability in detail". Please give detailed steps on how to disclose the vulnerability. Keep these OWASP guidelines in mind ( https://www.owasp.org/index.php/Vulnerability_Disclosure_Cheat_Sheet ) when creating your disclosure policy. Below are some recommendations for security disclosures: +- "react-360" security contact { contact: mailto:[andrewi@fb.com] } +- Disclosure format: When disclosing vulnerabilities please + 1. Your name and affiliation (if any). + 2. include scope of vulnerability. Let us know who could use this exploit. + 3. document steps to identify the vulnerability. It is important that we can reproduce your findings. + 4. how to exploit vulnerability, give us an attack scenario. + +### Encryption key for [EMAIL ADDRESS] +For critical flaws and sensitive security information you may encrypt your transmission with key below. +``` +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +-----END PGP PUBLIC KEY BLOCK----- +``` + +## "react-360" Checklist: Security Recommendations +Follow these steps to improve security when using "MY-PROJECT". +1. ...SEE SOMETHING +2. ...SAY SOMETHING + +### 1)...SEE SOMETHING +We suggest you goto #2 if this happens. + +**Why?** +Through experience we have found it is best to goto #2 in this situation. + +**How?** +Read our suggestions on [Reporting Security Issues](https://github.com/facebook/react-360/security.md). +`SHOW HOW TO CODE EXAMPLES IF POSSIBLE` +or goto #2 + +## Version +**version 0.0.1** + +Use Semantic Versioning to help other see at a glance if this document has been updated and what was the scope of the udpate. + +- Major version incremented when contact information changes in the `security.md` file or in the `security.txt` file that refers to this file. Or a required field in the `security.txt` has changed in a non backwards compatible manner. +- Minor update is a backward compatible change has been made to the aforementioned files. +- Patch update is when a minor typo is fixed but no significant change has been made. From 73c1347f17be92a1852b19b770f829690130cb1c Mon Sep 17 00:00:00 2001 From: Roshan Krishnachandra Jha Date: Mon, 27 Jul 2020 19:36:17 +0530 Subject: [PATCH 2/2] Adding facebook's white hat policy --- SECURITY.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 8d3f72f62..fb7c63cd6 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -75,3 +75,11 @@ Use Semantic Versioning to help other see at a glance if this document has been - Major version incremented when contact information changes in the `security.md` file or in the `security.txt` file that refers to this file. Or a required field in the `security.txt` has changed in a non backwards compatible manner. - Minor update is a backward compatible change has been made to the aforementioned files. - Patch update is when a minor typo is fixed but no significant change has been made. + +# Security Policy + +Please do not open GitHub issues or pull requests - this makes the problem immediately visible to everyone, including malicious actors. Security issues in the SDK can be safely reported via Facebook's Whitehat Bug Bounty program: + +[facebook.com/whitehat](https://www.facebook.com/whitehat) + +Facebook's security team will triage your report and determine whether or not is it eligible for a bounty under our program.