From 1fd180bc20df27a50729c5e45ba903bb8c9ec57d Mon Sep 17 00:00:00 2001 From: Suzanne Goldlust Date: Thu, 13 Mar 2025 18:06:16 +0000 Subject: [PATCH] Text edits; add "no bug bounties" text --- SECURITY.md | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 58c37279e8..130eeee117 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -30,33 +30,42 @@ Starting with the Kea 1.7 release, all Kea versions with an odd minor version number are development releases, and become EOL as soon as the following stable release is published. -Limited past EOL support may be available to higher tier customers. +Limited past EOL support may be available to higher-tier customers. Please contact ISC sales, using this form: https://www.isc.org/contact/ ## Reporting a Vulnerability -To report security vulnerability, please follow this instruction: +To report a security vulnerability, please follow the instructions on this +page: https://www.isc.org/reportbug/ -Briefly, we prefer confidential issue on gitlab (not github). An issue is +We prefer a confidential issue on GitLab (not GitHub). An issue is much better, because it's easier to get more ISC engineers involved in it, -evolve the case as more information is known, update or extra information, etc. +evolve the case as more information is known, update or add information, etc. -Second best is to send e-mail (possibly encrypted) to kea-security@isc.org. +If a GitLab issue is not possible, please send e-mail (possibly encrypted) +to kea-security@isc.org. -## Software Defects and Security Vulnerability Disclosure Policy +## Reporting a Bug + +We are working with the interests of the greater Internet at heart, and we +hope you are too. In that vein, we do not offer bug bounties. If you think +you have found a bug in Kea, we encourage you to report it responsibly at the +link above; if verified, we will be happy to credit you in our Release Notes. + +## Software Defect and Security Vulnerability Disclosure Policy ISC treats the security of its software products very seriously. This -document discusses the evaluation of a defect severity and the process +document discusses the evaluation of a defect's severity and the process in detail: https://kb.isc.org/docs/aa-00861 -## Further reading +## Further Reading The **Kea security** section of Kea ARM discusses the technical -aspects, such as how to properly configure TLS certificates, how to secure -Kea deployment and also what the security incident handling process +aspects, such as how to properly configure TLS certificates and how to secure +Kea deployment, and also what the security incident handling process looks like: https://kea.readthedocs.io/en/latest/arm/security.html#kea-security-processes -The **Past advisories** for Kea can be found on the KB: https://kb.isc.org/docs -On the left hand panel, see the `Security Advisiories` in the `Kea DHCP` section. +**Past advisories** for Kea can be found in our KB: https://kb.isc.org/docs. +On the left-hand panel, see the `Security Advisories` in the `Kea DHCP` section.