diff options
author | Brian P O'Rourke <brian@orourke.io> | 2020-07-11 09:37:41 -0700 |
---|---|---|
committer | Oran Agra <oran@redislabs.com> | 2020-07-22 16:24:39 +0300 |
commit | 99e6e732352c483bcbd9efae7aaf0560f3e88173 (patch) | |
tree | 1d60c926e0d7396ca242dfdcd9a04b8c8716c5fa | |
parent | 3e35ac9d7f2d2fc326443061c3323c0538a85ed0 (diff) | |
download | redis-99e6e732352c483bcbd9efae7aaf0560f3e88173.tar.gz |
Add contribution guidelines for vulnerability reports
-rw-r--r-- | CONTRIBUTING | 20 | ||||
-rw-r--r-- | README.md | 2 |
2 files changed, 21 insertions, 1 deletions
diff --git a/CONTRIBUTING b/CONTRIBUTING index 800d7bd21..394fe02ad 100644 --- a/CONTRIBUTING +++ b/CONTRIBUTING @@ -20,6 +20,26 @@ There is also an active community of Redis users at Stack Overflow: http://stackoverflow.com/questions/tagged/redis +# Reporting Security Bugs + +*If you are reporting a security bug*, please contact the core team privately +by emailing redis@redis.io. Your report will be acknowledged by a core team +member and once the report has been reviewed you will receive a more detailed +response including next steps. + +If you do not receive a reply you can escalate to the Redis Google Group, +linked above. Because this group is a public space please do not disclose the +issue in detail, only say that you are trying to reach the core team for a +security issue. + +Redis follows a responsible disclosure process: + +1. Reports are reviewed and analyzed privately +2. Patches are prepared for supported versions of Redis +3. Vendor lists are notified with an embargo date to reduce the public impact +4. We push a fix release and your bug can be posted publicly with credit in + release notes and the version history (and our thanks!) + # How to provide a patch for a new feature 1. If it is a major feature or a semantical change, please don't start coding @@ -203,7 +203,7 @@ of the BSD license that you can find in the [COPYING][1] file included in the Re source distribution. Please see the [CONTRIBUTING][2] file in this source distribution for more -information. +information, including details on our process for security bugs/vulnerabilities. [1]: https://github.com/redis/redis/blob/unstable/COPYING [2]: https://github.com/redis/redis/blob/unstable/CONTRIBUTING |