From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 20 Sep 2019 13:34:48 +0000 (+0200)
Subject: Add a security policy in our repo, remove outdated statement about versions
X-Git-Tag: dnsdist-1.4.0-rc3~9^2~1
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=42fa8581fc8585cd14f2e149a27a20ccc5d2c53c;p=pdns

Add a security policy in our repo, remove outdated statement about versions
---

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..07543dee8
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,23 @@
+PowerDNS Security Policy
+========================
+
+If you have a security problem to report, please email us at both security@powerdns.com and ahu@ds9a.nl.
+In case you want to encrypt your report using PGP, please use: 
+https://www.powerdns.com/powerdns-keyblock.asc
+
+Please do not mail security issues to public lists, nor file a ticket, unless we do not get back to you in a timely manner.
+We fully credit reporters of security issues, and respond quickly, but please allow us a reasonable timeframe to coordinate a response.
+
+We remind PowerDNS users that under the terms of the GNU General Public License, PowerDNS comes with ABSOLUTELY NO WARRANTY.
+This license is included in this documentation.
+
+HackerOne
+---------
+Security issues can also be reported on [our HackerOne page](https://hackerone.com/powerdns) and might fetch a bounty.
+Do note that only the PowerDNS software is in scope for the HackerOne program, not our websites or other infrastructure.
+
+Disclosure Policy
+-----------------
+- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
+- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
+- We will always credit researchers in our security advisories.
diff --git a/docs/common/security-policy.rst b/docs/common/security-policy.rst
index 6114a3656..6fef5efad 100644
--- a/docs/common/security-policy.rst
+++ b/docs/common/security-policy.rst
@@ -2,16 +2,14 @@ PowerDNS Security Policy
 ------------------------
 
 If you have a security problem to report, please email us at both security@powerdns.com and ahu@ds9a.nl.
+In case you want to encrypt your report using PGP, please use: https://www.powerdns.com/powerdns-keyblock.asc
+
 Please do not mail security issues to public lists, nor file a ticket, unless we do not get back to you in a timely manner.
 We fully credit reporters of security issues, and respond quickly, but please allow us a reasonable timeframe to coordinate a response.
 
 We remind PowerDNS users that under the terms of the GNU General Public License, PowerDNS comes with ABSOLUTELY NO WARRANTY.
 This license is included in this documentation.
 
-As of the 9th of September 2016, no actual security problems with PowerDNS Authoritative Server 3.4.10, Recursor 3.6.3, Recursor 3.7.2, or later are known about.
-This page will be updated with all bugs which are deemed to be security problems, or could conceivably lead to those.
-Any such notifications will also be sent to all `PowerDNS mailing lists <https://mailman.powerdns.com>`_.
-
 HackerOne
 ^^^^^^^^^
 Security issues can also be reported on `our HackerOne page <https://hackerone.com/powerdns>`_ and might fetch a bounty.