-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsecurity.txt
76 lines (52 loc) · 2.82 KB
/
security.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
= Security Researchers and Vulnerability Reports =
== Invitation to Responsible Security Researchers ==
We specifically invite and welcome the scrutiny and participation of
responsible security researchers. Please, inspect the code, abuse the
APIs, fuzz the sockets, and attack the network traffic.
If you are a security research organization, we invite you to contact
us even before you have anything to report, so we can set up a working
relationship, and exchange keys.
== Reporting Vulnerabilities ==
Please report discovered vulnerabiltites to mailto:security@ntpsec.org.
This email alias forwards to a very small cadre of the internal NTPsec
team.
You may GPG encrypt your report. The GPG key can be found on the well
known keyservers, and has the following id and fingerprint:
----------------------------------------------------------------
pub 4096R/CC282DBE 2015-09-29 [expires: 2018-09-13]
Key fingerprint = B09A 8CAB E180 EC66 4CC5 11D8 2A7C 3E36 CC28 2DBE
uid NTPsec Security Reporting <security@ntpsec.org>
----------------------------------------------------------------
== Our Responsiveness Goals ==
Our goal is to ack receipt within 24 hours, verify each potential
vulnerability within 3 days, and if the vulnerability is a significant
network risk, such as remote execution, denial of service, network
amplification, or corruption of time reporting, develop a fix within 7
days.
Our experience so far is that we are much faster than that.
== Honoring Reporter Responsible Disclosure Policies ==
We honor responsible disclosure policies and embargos requested by
responsible security researchers and security research organizations.
Vulnerabilities properly reported to us are tracked in a controlled
access issue tracker. Development of fixes is done in private Git
repos.
When the reasonable embargo period expires, we will promptly merge the
fixes to our public repos, and will cut a new release.
If a vulnerability becomes publically known before the embargo
expires, we will notify the reporter, and then will promptly merge the
fixes to our public repos, and will cut a new release.
If we receive a vulnerability report that is a duplicate, we will put
the reporters in contact with each other, and then will honor the
shortest embargo.
== Our Responsible Disclosure Policies ==
As NTPsec is currently in developer pre-release and is not yet
deployed in production, we currently have no responsible disclosure or
embargo policies of our own. As we find issues and vulnerabilities
ourselves and by ordinary contributors, we will verify and fix on our
existing development and release cadence, in our public issue tracker
and on our public Git repositories.
Once NTPsec is in production use, we will work towards an
industry standard best practices Responsible Disclosure and Embargo
Policy.
image::clocktower64.png[align="center"]
//end