jiazhizhong/higress
1
0
Fork 0
mirror of https://github.com/alibaba/higress.git synced 2026-05-11 06:17:26 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
3e84ff3537fc0b47754e109989a0d34e8eff246b
higress/SECURITY.md
EndlessSeeker 3e84ff3537 docs: update SECURITY.md, CONTRIBUTING docs, and remove OpenSSF badge placeholder 
- SECURITY.md: formalize vulnerability reporting process with GitHub Private
  Security Advisory and email channels, add response SLA (3-day ack, 14-day
  triage, 90-day disclosure), add security response team and disclosure policy
- CONTRIBUTING_EN/CN/JP.md: add test requirements for new functionality
  (30% plugin coverage gate, 50% patch coverage), link security reporting
  to SECURITY.md
- README/README_ZH/README_JP: remove OpenSSF Best Practices badge placeholder
  until passing badge is achieved

Change-Id: Ice19b163c48dab73c903a0b9f4c33ddeff892ebb
Co-developed-by: Kiro <noreply@kiro.dev>
Signed-off-by: EndlessSeeker <1766508902@qq.com>
2026-04-28 15:55:27 +08:00

86 lines
3.2 KiB
Markdown
Raw Blame History

# Security Policy
The Higress team takes security seriously. We appreciate your efforts to
responsibly disclose your findings and will make every effort to acknowledge
your contributions.
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 2.x.x | :white_check_mark: |
| 1.x.x | :white_check_mark: |
| < 1.0.0 | :x: |
## Reporting a Vulnerability
**Please do NOT report security vulnerabilities through public GitHub issues,
discussions, or pull requests.**
Instead, please report them through one of the following private channels:
- **GitHub Private Security Advisory**:
<https://github.com/higress-group/higress/security/advisories/new>
- **Email**: [higress@googlegroups.com](mailto:higress@googlegroups.com)
Please include as much of the following information as possible to help us
triage and address the issue:
- Type of issue (e.g., buffer overflow, injection, privilege escalation, etc.)
- Full paths of source file(s) related to the issue (if known)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Any suggested fix or mitigation (if available)
## Response Process
The Higress security team will follow these steps upon receiving a report:
1. **Acknowledgement**: We will acknowledge receipt of your report within
**3 business days**.
2. **Triage**: We will evaluate the report, confirm the vulnerability, and
determine its severity and impact within **14 days**.
3. **Fix Development**: We will develop a fix and coordinate with you on an
appropriate disclosure timeline.
4. **Disclosure**: We will publish a security advisory via
[GitHub Security Advisories](https://github.com/higress-group/higress/security/advisories)
and credit you for the discovery (unless you prefer to remain anonymous).
We aim to resolve critical vulnerabilities as quickly as possible and will
keep you informed of our progress throughout the process.
## Security Response Team
The Higress security response is handled by the project maintainers listed in
[`MAINTAINERS.md`](./MAINTAINERS.md). Security reports sent to
higress@googlegroups.com are received by all current maintainers.
## Disclosure Policy
We follow a coordinated disclosure process:
- We ask reporters to give us a reasonable amount of time to address the issue
before any public disclosure.
- We will work with you to agree on a disclosure timeline, typically **90 days**
from the initial report.
- We will publish security advisories and, where appropriate, request CVE
identifiers for confirmed vulnerabilities.
- We will credit reporters in the advisory unless they request anonymity.
## Security-Related Configuration
For guidance on securely deploying and configuring Higress, please refer to
the [official documentation](https://higress.cn/en/docs/latest/overview/what-is-higress/).
Key security features include:
- Built-in WAF protection plugin
- Authentication plugins (key-auth, hmac-auth, jwt-auth, basic-auth, OIDC)
- IP/Cookie-based CC protection
- TLS termination with automatic Let's Encrypt certificate management
---
Higress is a [Cloud Native Computing Foundation](https://www.cncf.io/)
sandbox project.
Reference in New Issue View Git Blame Copy Permalink