adopt SSWG security guidelines (#30)

* Create SECURITY.md * Update README.md * Update README.md
apple · Jun 21, 2021 · f8233fb · f8233fb
1 parent 6f6e76e
commit f8233fb
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -9,7 +9,7 @@ a metrics backend for [swift-metrics](https://github.com/apple/swift-metrics) th
 * [graphite](https://graphiteapp.org)
 * many others
 
-## getting started
+## Getting started
 
 create an instance of the `StatsdClient` and boostrap the `MertricsSystem`  in your application's main:
 
@@ -26,8 +26,7 @@ remeber to also shutdown the client before you application terminates:
 statsdClient.shutdown()
 ```
 
-
-## architecture
+## Architecture
 
 the statsd client uses [swift-nio](https://github.com/apple/swift-nio) to establish a UDP connection to the statsd server
 
@@ -36,3 +35,11 @@ metrics types are mapped as follwoing:
 * Gauge -> Gauge
 * Recorder -> Histogram
 * Timer -> Timer
+
+## Security
+
+Please see [SECURITY.md](SECURITY.md) for details on the security process.
+
+## Getting involved
+
+Do not hesitate to get in touch as well, over on https://forums.swift.org/c/server
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,43 @@
+# Security
+
+This document specifies the security process for the SwiftStatsDClient project.
+
+## Disclosures
+
+### Private Disclosure Process
+
+The SwiftStatsDClient maintainers ask that known and suspected vulnerabilities be
+privately and responsibly disclosed by emailing
+[[email protected]](mailto:[email protected])
+with the all the required detail.
+**Do not file a public issue.**
+
+#### When to report a vulnerability
+
+* You think you have discovered a potential security vulnerability in SwiftStatsDClient.
+* You are unsure how a vulnerability affects SwiftStatsDClient.
+
+#### What happens next?
+
+* A member of the team will acknowledge receipt of the report within 3
+  working days (United States). This may include a request for additional
+  information about reproducing the vulnerability.
+* We will privately inform the Swift Server Work Group ([SSWG][sswg]) of the
+  vulnerability within 10 days of the report as per their [security
+  guidelines][sswg-security].
+* Once we have identified a fix we may ask you to validate it. We aim to do this
+  within 30 days. In some cases this may not be possible, for example when the
+  vulnerability exists at the protocol level and the industry must coordinate on
+  the disclosure process.
+* If a CVE number is required, one will be requested from [MITRE][mitre]
+  providing you with full credit for the discovery.
+* We will decide on a planned release date and let you know when it is.
+* Prior to release, we will inform major dependents that a security-related
+  patch is impending.
+* Once the fix has been released we will publish a security advisory on GitHub
+  and in the Server → Security Updates category on the [Swift forums][swift-forums-sec].
+
+[sswg]: https://github.com/swift-server/sswg
+[sswg-security]: https://github.com/swift-server/sswg/blob/main/security/README.md
+[swift-forums-sec]: https://forums.swift.org/c/server/security-updates/
+[mitre]: https://cveform.mitre.org/