Add contribution guidelines for vulnerability reports

2020-07-11 09:37:41 -07:00 · 2020-07-11 09:37:41 -07:00 · 99e6e73235
parent 3e35ac9d7f
commit 99e6e73235
2 changed files with 21 additions and 1 deletions
--- a/20
+++ b/20
@ -20,6 +20,26 @@ There is also an active community of Redis users at Stack Overflow:

    http://stackoverflow.com/questions/tagged/redis

+# Reporting Security Bugs
+
+*If you are reporting a security bug*, please contact the core team privately
+by emailing redis@redis.io. Your report will be acknowledged by a core team
+member and once the report has been reviewed you will receive a more detailed
+response including next steps.
+
+If you do not receive a reply you can escalate to the Redis Google Group,
+linked above. Because this group is a public space please do not disclose the
+issue in detail, only say that you are trying to reach the core team for a
+security issue.
+
+Redis follows a responsible disclosure process:
+
+1. Reports are reviewed and analyzed privately
+2. Patches are prepared for supported versions of Redis
+3. Vendor lists are notified with an embargo date to reduce the public impact
+4. We push a fix release and your bug can be posted publicly with credit in
+   release notes and the version history (and our thanks!)
+
 # How to provide a patch for a new feature

 1. If it is a major feature or a semantical change, please don't start coding
--- a/README.md
+++ b/README.md
@ -203,7 +203,7 @@ of the BSD license that you can find in the [COPYING][1] file included in the Re
 source distribution.

 Please see the [CONTRIBUTING][2] file in this source distribution for more
-information.
+information, including details on our process for security bugs/vulnerabilities.

 [1]: https://github.com/redis/redis/blob/unstable/COPYING
 [2]: https://github.com/redis/redis/blob/unstable/CONTRIBUTING