Sign upLogin

pupilfirst/pupilfirst

View on GitHub
Star
SECURITY.md

Summary

Maintainability
Test Coverage
# Security Policy

The Pupilfirst team takes web security very seriously. This means regular updates to keep the application's
dependencies up-to-date, detailed review process for every change made to the platform code, and immediate
resolution of issues brought up by Github's automated security advisories.

This also means a clear policy on how to report vulnerabilities and receive updates when fixes for those
vulnerabilities are released.

## Reporting a vulnerability

To report a security vulnerability, please send an email to security@pupilfirst.org.

Your report will be acknowledged within 24 hours, and you’ll receive a more detailed response to your email within 48
hours indicating the next steps in handling your report.

After the initial reply to your report our team will endeavor to keep you informed of the progress being made towards
a fix and full announcement. These updates will be sent at least once every week. In most cases, resolution of issues
should take no more than 48 hours.

If you have not received a reply to your email within 48 hours, or have not heard from the Pupilfirst team for the past
week, there are a few steps you can take:

1. Contact the lead developer ([Hari Gopal](mailto:mail@harigopal.in)) directly.
2. Contact the developers on [our Discord server](https://discord.gg/Sh67Tca).

Please note, the Discord server is a public area. When escalating the issue, please do not discuss your issue, simply
say that you’re trying to get a hold of someone from the development team.

## Disclosure process

1. Security report received and is assigned a primary handler. This person will coordinate the fix and release process.
   The problem is confirmed, and code is audited to find any potential similar problems.
2. A fix is prepared and held locally pending the announcement.
3. A draft security advisory is prepared on Github, including details of the fix and advice on how to apply the fix.
4. The security advisory and the fix is released to the public at the same time.

We currently do not offer any monetary compensation for security-related disclosures.

## Improving the security policy

If you have any suggestions to improve this policy, please send an email to security@pupilfirst.org.