From 99e6e732352c483bcbd9efae7aaf0560f3e88173 Mon Sep 17 00:00:00 2001 From: Brian P O'Rourke Date: Sat, 11 Jul 2020 09:37:41 -0700 Subject: Add contribution guidelines for vulnerability reports --- CONTRIBUTING | 20 ++++++++++++++++++++ README.md | 2 +- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/CONTRIBUTING b/CONTRIBUTING index 800d7bd21..394fe02ad 100644 --- a/CONTRIBUTING +++ b/CONTRIBUTING @@ -20,6 +20,26 @@ There is also an active community of Redis users at Stack Overflow: http://stackoverflow.com/questions/tagged/redis +# Reporting Security Bugs + +*If you are reporting a security bug*, please contact the core team privately +by emailing redis@redis.io. Your report will be acknowledged by a core team +member and once the report has been reviewed you will receive a more detailed +response including next steps. + +If you do not receive a reply you can escalate to the Redis Google Group, +linked above. Because this group is a public space please do not disclose the +issue in detail, only say that you are trying to reach the core team for a +security issue. + +Redis follows a responsible disclosure process: + +1. Reports are reviewed and analyzed privately +2. Patches are prepared for supported versions of Redis +3. Vendor lists are notified with an embargo date to reduce the public impact +4. We push a fix release and your bug can be posted publicly with credit in + release notes and the version history (and our thanks!) + # How to provide a patch for a new feature 1. If it is a major feature or a semantical change, please don't start coding diff --git a/README.md b/README.md index 55537e01f..a3c5def9f 100644 --- a/README.md +++ b/README.md @@ -203,7 +203,7 @@ of the BSD license that you can find in the [COPYING][1] file included in the Re source distribution. Please see the [CONTRIBUTING][2] file in this source distribution for more -information. +information, including details on our process for security bugs/vulnerabilities. [1]: https://github.com/redis/redis/blob/unstable/COPYING [2]: https://github.com/redis/redis/blob/unstable/CONTRIBUTING -- cgit v1.2.1