From 08c094b8a596754c4706311facdfe8e071c2fefc Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Thu, 12 Jan 2023 17:16:46 +0100 Subject: [PATCH] docs(SECURITY.md): Include Security Policy (#1697) Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com> Co-authored-by: Pepe Fagoaga --- SECURITY.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..288befc6 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,23 @@ +# Security Policy + +## Software Security +As an **AWS Partner** and we have passed the [AWS Foundation Technical Review (FTR)](https://aws.amazon.com/partners/foundational-technical-review/) and we use the following tools and automation to make sure our code is secure and dependencies up-to-dated: + +- `bandit` for code security review. +- `safety` and `dependabot` for dependencies. +- `hadolint` and `dockle` for our containers security. +- `snyk` in Docker Hub. +- `clair` in Amazon ECR. +- `vulture`, `flake8`, `black` and `pylint` for formatting and best practices. + +## Reporting a Vulnerability + +If you would like to report a vulnerability or have a security concern regarding Prowler Open Source or ProwlerPro service, please submit the information by contacting to help@prowler.pro. + +The information you share with Verica as part of this process is kept confidential within Verica and the Prowler team. We will only share this information with a third party if the vulnerability you report is found to affect a third-party product, in which case we will share this information with the third-party product's author or manufacturer. Otherwise, we will only share this information as permitted by you. + +We will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process. + +You will receive a non-automated response to your initial contact within 24 hours, confirming receipt of your reported vulnerability. + +We will coordinate public notification of any validated vulnerability with you. Where possible, we prefer that our respective public disclosures be posted simultaneously.