Use this section to tell people about which versions of your project are currently being supported with security updates.
| Version | Supported |
|---|---|
| 0.1.x |
At OpenGRC, we take the security of our systems seriously and are committed to ensuring that the OpenGRC platform is safe for everyone to use. If you discover a security vulnerability, we encourage you to report it privately to protect users while the issue is being addressed.
To report a security vulnerability privately:
-
Use GitHub's Private Security Reporting Feature
OpenGRC leverages GitHub's private security reporting feature, allowing you to confidentially submit security concerns. To report a vulnerability, follow these steps:- Go to the OpenGRC GitHub repository.
- Under the "Security" tab, click on "Report a vulnerability."
- Provide as much detail as possible regarding the vulnerability, including:
- Steps to reproduce the issue.
- Any potential impacts or risks.
- Your suggestions for remediation (if applicable).
-
What Happens Next?
- After your report is submitted, our team will promptly review the issue and work on a solution.
- We will communicate with you throughout the process to keep you informed on the status of the vulnerability.
- If you provided contact information, we may reach out to you for further details or clarifications.
-
Disclosure Policy
- We follow a responsible disclosure process. Once the vulnerability has been resolved, we may publicly disclose details of the vulnerability and give credit to the discoverer, if desired.
- If the issue requires immediate attention to protect users, we will prioritize the release of a fix.
-
Non-Security Issues
- For non-security issues such as bug reports or feature requests, please use the regular GitHub issue tracker instead of the private reporting feature.
We appreciate your responsible disclosure and your efforts in keeping OpenGRC secure!
For any further questions or clarifications, feel free to reach out.