3e84ff3537
- SECURITY.md: formalize vulnerability reporting process with GitHub Private Security Advisory and email channels, add response SLA (3-day ack, 14-day triage, 90-day disclosure), add security response team and disclosure policy - CONTRIBUTING_EN/CN/JP.md: add test requirements for new functionality (30% plugin coverage gate, 50% patch coverage), link security reporting to SECURITY.md - README/README_ZH/README_JP: remove OpenSSF Best Practices badge placeholder until passing badge is achieved Change-Id: Ice19b163c48dab73c903a0b9f4c33ddeff892ebb Co-developed-by: Kiro <noreply@kiro.dev> Signed-off-by: EndlessSeeker <1766508902@qq.com>
3.2 KiB
Security Policy
The Higress team takes security seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.
Supported Versions
| Version | Supported |
|---|---|
| 2.x.x | ✅ |
| 1.x.x | ✅ |
| < 1.0.0 | ❌ |
Reporting a Vulnerability
Please do NOT report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Instead, please report them through one of the following private channels:
- GitHub Private Security Advisory: https://github.com/higress-group/higress/security/advisories/new
- Email: higress@googlegroups.com
Please include as much of the following information as possible to help us triage and address the issue:
- Type of issue (e.g., buffer overflow, injection, privilege escalation, etc.)
- Full paths of source file(s) related to the issue (if known)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Any suggested fix or mitigation (if available)
Response Process
The Higress security team will follow these steps upon receiving a report:
- Acknowledgement: We will acknowledge receipt of your report within 3 business days.
- Triage: We will evaluate the report, confirm the vulnerability, and determine its severity and impact within 14 days.
- Fix Development: We will develop a fix and coordinate with you on an appropriate disclosure timeline.
- Disclosure: We will publish a security advisory via GitHub Security Advisories and credit you for the discovery (unless you prefer to remain anonymous).
We aim to resolve critical vulnerabilities as quickly as possible and will keep you informed of our progress throughout the process.
Security Response Team
The Higress security response is handled by the project maintainers listed in
MAINTAINERS.md. Security reports sent to
higress@googlegroups.com are received by all current maintainers.
Disclosure Policy
We follow a coordinated disclosure process:
- We ask reporters to give us a reasonable amount of time to address the issue before any public disclosure.
- We will work with you to agree on a disclosure timeline, typically 90 days from the initial report.
- We will publish security advisories and, where appropriate, request CVE identifiers for confirmed vulnerabilities.
- We will credit reporters in the advisory unless they request anonymity.
Security-Related Configuration
For guidance on securely deploying and configuring Higress, please refer to the official documentation. Key security features include:
- Built-in WAF protection plugin
- Authentication plugins (key-auth, hmac-auth, jwt-auth, basic-auth, OIDC)
- IP/Cookie-based CC protection
- TLS termination with automatic Let's Encrypt certificate management
Higress is a Cloud Native Computing Foundation sandbox project.