Use Signal instead of PGP to contact me securely (#52)

This commit is contained in:
Dustin J. Mitchell 2024-11-16 13:40:35 -05:00 committed by GitHub
parent 4727c9b8b6
commit 7d0325e807
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

13
SECURITY.md Normal file
View file

@ -0,0 +1,13 @@
# Security
To report a vulnerability, please contact Dustin via signal, [`djmitche.78`](https://signal.me/#eu/2T98jpkMAzvFL2wg3OkZnNrfhk1DFfu6eqkMEPqcAuCsLZPVk39A67rp4khmrMNF).
Initial response is expected within ~48h.
We kindly ask to follow the responsible disclosure model and refrain from sharing information until:
1. Vulnerabilities are patched in `taskchampion-sync-server` + 60 days to coordinate with distributions.
2. 90 days since the vulnerability is disclosed to us.
We recognise the legitimacy of public interest and accept that security researchers can publish information after 90-days deadline unilaterally.
We will assist with obtaining CVE and acknowledge the vulnerabilities reported.