diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 0000000..c655497 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,36 @@ +# Security Policy + +## Reporting a Vulnerability + +We take the security of VersionTwo seriously. If you believe you have found a security vulnerability, please report it to us as described below. + +**Please do not report security vulnerabilities through public GitHub issues.** + +Instead, please report them via email to: + +``` +maintainers@pandaswhocode.com +``` + +You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message. + +Please include the following information in your report: + +- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) +- Full paths of source file(s) related to the manifestation of the issue +- The location of the affected source code (tag/branch/commit or direct URL) +- Any special configuration required to reproduce the issue +- Step-by-step instructions to reproduce the issue +- Proof-of-concept or exploit code (if possible) +- Impact of the issue, including how an attacker might exploit it + +## Preferred Languages + +We prefer all communications to be in English. + +## Policy + +- We will respond to your report within 48 hours with our evaluation and expected resolution time +- If you have followed the instructions above, we will not take legal action against you in regard to your report +- We will keep you informed of the progress towards resolving the issue +- Once the issue is resolved, we will publicly acknowledge your responsible disclosure, if you wish diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..4e7559d --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,15 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + - package-ecosystem: "github-actions" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "weekly" + - package-ecosystem: "pip" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "weekly"