From 9941818a6ed780237aea08b9ca8a8716a99b6e95 Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Fri, 12 May 2023 18:37:04 +0200 Subject: [PATCH] Create SECURITY.md --- SECURITY.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..56c91e75 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,20 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| ------- | ------------------ | +| 22.04.x | :white_check_mark: | + + +## Reporting a Vulnerability + +We take security of T-Pot very seriously. If one of T-Pot's components is affected, it is most likely that a upstream component we rely on is involved, such as a honeypot, docker image, tool or package. Together we will find the best possible way to remedy the situation. + +Before you submit a possible vulnerability, please ensure you have done the following: +1. You have checked the documentation, issues and discussions if the detected behavior is typical and does not revolve around other issues. I.e. Cowrie will be detected with outgoing conncection requests or T-Pot opening all possible TCP ports which Honeytrap enabled install flavors will do as a feature. +2. You have identified the vulnerable component and isolated your finding (honeypot, docker image, tool, package, etc.). +3. You have a detailed description including log files, possibly debug files, with all steps necessary for us to reproduce / trigger the behaviour or vulnerability. At best you already have a possible solution, hotfix, fix or patch to remedy the situation and want to submit a PR. +4. You have checked if the possible vulnerability is known upstream. If a fix / patch is already available, please provide the necessary info. + +We will get back to you as fast as possible. In case you think this is an emergency for the whole T-Pot community feel free to speed things up by **responsibly** informing our [CERT](https://www.telekom.com/en/corporate-responsibility/data-protection-data-security/security/details/introducing-deutsche-telekom-cert-358316).