26 lines
1.6 KiB
Markdown
26 lines
1.6 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Projects
|
|
|
|
Please follow this guidance when reporting security issues affecting:
|
|
|
|
- [Shields.io](https://shields.io)
|
|
- [Raster.shields.io](https://raster.shields.io)
|
|
- Self-hosted Shields instances
|
|
- The [squint](https://github.com/badges/squint) raster proxy
|
|
- The [badge-maker](https://www.npmjs.com/package/badge-maker) NPM package
|
|
|
|
The [gh-badges](https://www.npmjs.com/package/gh-badges) and [svg-to-image-proxy](https://www.npmjs.com/package/svg-to-image-proxy) NPM packages are now deprecated and will no longer receive fixes for bugs or security issues.
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
If you find a security vulnerability affecting any of our supported projects, please email [security@shields.io](mailto:security@shields.io), rather than opening a public issue on GitHub. After receiving the initial report, we will endeavor to keep you informed of the progress towards a fix and full announcement. We may ask you for additional information. You are also welcome to propose a patch or solution.
|
|
|
|
Report security bugs in third-party modules to the person or team maintaining the module.
|
|
|
|
## Coordinated Disclosure
|
|
|
|
We aim to patch confirmed vulnerabilities within 90 days or less, disclosing the details of those vulnerabilities when a patch is published. We ask that you refrain from sharing your report with others while we work on our patch.
|
|
|
|
We may want to coordinate an advisory with you to be published simultaneously with the patch, but you are also welcome to self-disclose after 90 days if you prefer. We will never publish information about you or our communications with you without your permission.
|