thevar1able/ClickHouse
1
0
Fork 0
mirror of https://github.com/ClickHouse/ClickHouse.git synced 2024-09-20 00:30:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update SECURITY.md

Browse Source
This commit is contained in:
alexey-milovidov 2021-08-23 16:10:41 +03:00 committed by GitHub
parent 215814414d
commit 9a9ea8bba4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
SECURITY.md
View File

@ -34,29 +34,28 @@ The following versions of ClickHouse server are currently being supported with s
## Reporting a Vulnerability ## Reporting a Vulnerability
We're extremely grateful for security researchers and users that report vulnerabilities to the Kubernetes Open Source Community. All reports are thoroughly investigated by a set of community volunteers. We're extremely grateful for security researchers and users that report vulnerabilities to the ClickHouse Open Source Community. All reports are thoroughly investigated by developers.
To report a potential vulnerability in ClickHouse please send the details about it to [clickhouse-feedback@yandex-team.com](mailto:clickhouse-feedback@yandex-team.com). To report a potential vulnerability in ClickHouse please send the details about it to [clickhouse-feedback@yandex-team.com](mailto:clickhouse-feedback@yandex-team.com).
### When Should I Report a Vulnerability? ### When Should I Report a Vulnerability?
- You think you discovered a potential security vulnerability in Clickhouse - You think you discovered a potential security vulnerability in ClickHouse
- You are unsure how a vulnerability affects Clickhouse - You are unsure how a vulnerability affects ClickHouse
### When Should I NOT Report a Vulnerability? ### When Should I NOT Report a Vulnerability?
- You need help tuning Clickhouse components for security - You need help tuning ClickHouse components for security
- You need help applying security related updates - You need help applying security related updates
- Your issue is not security related - Your issue is not security related
## Security Vulnerability Response ## Security Vulnerability Response
Each report is acknowledged and analyzed by Clickhouse maintainers within 3 working days. Each report is acknowledged and analyzed by ClickHouse maintainers within 5 working days.
As the security issue moves from triage, to identified fix, to release planning we will keep the reporter updated. As the security issue moves from triage, to identified fix, to release planning we will keep the reporter updated.
## Public Disclosure Timing ## Public Disclosure Timing
A public disclosure date is negotiated by the Clickhouse maintainers and the bug submitter. We prefer to fully disclose the bug as soon as possible once a user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to a few weeks. For a vulnerability with a straightforward mitigation, we expect report date to disclosure date to be on the order of 7 days. A public disclosure date is negotiated by the ClickHouse maintainers and the bug submitter. We prefer to fully disclose the bug as soon as possible once a user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to 90 days. For a vulnerability with a straightforward mitigation, we expect report date to disclosure date to be on the order of 7 days.