From 42b944295a12e09426bc220aae0cd5c1b2410ae2 Mon Sep 17 00:00:00 2001 From: Rand McKinney Date: Fri, 13 Nov 2015 13:35:09 -0800 Subject: [PATCH] Add Security document closes #2733 closes #2804 --- Readme.md | 4 ++++ Security.md | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 Security.md diff --git a/Readme.md b/Readme.md index 8da83a51..d0c081cc 100644 --- a/Readme.md +++ b/Readme.md @@ -47,6 +47,10 @@ $ npm install express **PROTIP** Be sure to read [Migrating from 3.x to 4.x](https://github.com/strongloop/express/wiki/Migrating-from-3.x-to-4.x) as well as [New features in 4.x](https://github.com/strongloop/express/wiki/New-features-in-4.x). +###Security Issues + +If you discover a security vulnerability in Express, please see [Security Policies and Procedures](security.md). + ## Quick Start The quickest way to get started with express is to utilize the executable [`express(1)`](https://github.com/expressjs/generator) to generate an application as shown below: diff --git a/Security.md b/Security.md new file mode 100644 index 00000000..0c6d8232 --- /dev/null +++ b/Security.md @@ -0,0 +1,53 @@ +# Security Policies and Procedures + +This document outlines security procedures and general policies for the Express +project. + + * [Reporting a Bug](#reporting-a-bug) + * [Disclosure Policy](#disclosure-policy) + * [Receiving Security Updates](#receiving-security-updates) + * [Comments on this Policy](#comments-on-this-policy) + +## Reporting a Bug + +The Express team and community take all security bugs in Express seriously. +Thank you for improving the security of Express. We appreciate your efforts and +responsible disclosure and will make every effort to acknowledge your +contributions. + +Report security bugs by emailing security@expressjs.com. Email to this address +is delivered to a subset of the core team who handle security issues. + +The security team will acknowledge your email within 24 hours, and will send a +more detailed response within 48 hours indicating the next steps in handling +your report. After the initial reply to your report, the security team will +endeavor to keep you informed of the progress towards a fix and full +announcement, and may ask for additional information or guidance. + +Report security bugs in third-party modules to the person or team maintaining +the module. You can also report a vulnerability through the +[Node Security Project](https://nodesecurity.io/report). + +## Disclosure Policy + +When the security team receives a security bug report, they will assign it to a +primary handler. This person will coordinate the fix and release process, +involving the following steps: + + * Confirm the problem and determine the affected versions. + * Audit code to find any potential similar problems. + * Prepare fixes for all releases still under maintenance. These fixes will be + released as fast as possible to npm. + +## Receiving Security Updates + +Security notifications will be distributed via the following methods. + + * https://groups.google.com/forum/#!forum/express-js + * http://blog.strongloop.com + * http://expressjs.com/advanced/security-updates.html + +## Comments on this Policy + +If you have suggestions on how this process could be improved please submit a +pull request or email security@expressjs.com to discuss.