|
|
@@ -1,5 +1,9 @@
|
|
|
-# Security Policy
|
|
|
+# Reporting Security Vulnerabilities
|
|
|
|
|
|
-## Reporting a Vulnerability
|
|
|
+**If you believe you have discovered a security issue with VestaCP, please open a new private security vulnerability report through https://github.com/outroll/vesta/security/advisories/new.
|
|
|
|
|
|
-Please report security issues to dev@vestacp.com
|
|
|
+You can also report security vulnerabilities to [security@vestacp.com](mailto:security@vestacp.com), and we will create a new security advisory for tracking the fix on your behalf.
|
|
|
+
|
|
|
+We value the effort and contribution of independent security researchers and will credit security researchers in the release notes of the fix, on the following conditions:
|
|
|
+- Vulnerabilities are not published publicly prior to the VestaCP releasing a fix; and
|
|
|
+- Researchers provide at least 90 days to address the issue before disclosing it publicly.
|
Rafael G. Martins