chore: Update security guidelines (#5382)

- update security guidelines
This commit is contained in:
Sojan Jose 2022-09-02 16:59:38 +05:30 committed by GitHub
parent 03c8251cc3
commit 8bdd229adb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -1,30 +1,55 @@
# Security Policy Chatwoot is looking forward to working with security researchers worldwide to keep Chatwoot and our users safe. If you have found an issue in our systems/applications, please reach out to us.
Chatwoot is looking forward to working with security researchers across the world to keep Chatwoot and our users safe. If you have found an issue in our systems/applications, please reach out to us.
## Reporting a Vulnerability ## Reporting a Vulnerability
We use [huntr.dev](https://huntr.dev/) for security issues that affect our project. If you believe you have found a vulnerability, please disclose it via this [form](https://huntr.dev/bounties/disclose). We use [huntr.dev](https://huntr.dev/) for security issues that affect our project. If you believe you have found a vulnerability, please disclose it via this [form](https://huntr.dev/bounties/disclose). This will enable us to review the vulnerability, fix it promptly, and reward you for your efforts.
This will enable us to review the vulnerability, fix it promptly, and reward you for your efforts. If you have any questions about the process, contact security@chatwoot.com.
If you have any questions about the process, feel free to reach out to security@chatwoot.com. Please try your best to describe a clear and realistic impact for your report, and please don't open any public issues on GitHub or social media; we're doing our best to respond through Huntr as quickly as possible.
> Note: Please use the email for questions related to the process. Disclosures should be done via [huntr.dev](https://huntr.dev/)
## Supported versions
| Version | Supported |
| ------- | -------------- |
| latest | ️✅ |
| <latest | |
## Out of scope ## Vulnerabilities we care about 🫣
> Note: Please do not perform testing against Chatwoot production services. Use a `self-hosted instance` to perform tests.
- Remote command execution
- SQL Injection
- Authentication bypass
- Privilege Escalation
- Cross-site scripting (XSS)
- Performing limited admin actions without authorization
- CSRF
Please do not perform testing against Chatwoot production services. Use a self hosted instance to perform tests. You can learn more about our triaging process [here](https://www.chatwoot.com/docs/contributing-guide/security-reports).
We consider the following to be out of scope, though there may be exceptions. ## Non-Qualifying Vulnerabilities
We consider the following out of scope, though there may be exceptions.
- Missing HTTP security headers - Missing HTTP security headers
- Self XSS - Incomplete/Missing SPF/DKIM
- HTTP Host Header XSS without working proof-of-concept - Reports from automated tools or scanners
- Theoretical attacks without proof of exploitability
- Social engineering
- Reflected file download
- Physical attacks
- Weak SSL/TLS/SSH algorithms or protocols
- Attacks involving physical access to a user's device or a device or network that's already seriously compromised (e.g., man-in-the-middle).
- The user attacks themselves
- Incomplete/Missing SPF/DKIM - Incomplete/Missing SPF/DKIM
- Denial of Service attacks - Denial of Service attacks
- Brute force attacks
- DNSSEC - DNSSEC
- Social Engineering attacks
If you are not sure about the scope, please create a report. If you are unsure about the scope, please create a [report](https://huntr.dev/repos/chatwoot/chatwoot/).
## Thanks ## Thanks