Skip to content

Add SECURITY.md to enable private vulnerability reporting #515

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lihnucs wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add SECURITY.md to enable private vulnerability reporting #515

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
69 changes: 69 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@

# Security Policy

## Supported Versions

Only the latest release of Angry IP Scanner receives security fixes.

| Version | Supported |
|----------------|-----------|
| 3.9.3 (latest) | Yes |
| < 3.9.3 | No |


## Reporting a Vulnerability

Please **do not** open a public GitHub issue for security vulnerabilities.

**Preferred channel — GitHub Private Advisory:**
Use the **"Report a vulnerability"** button on the
[Security tab](https://github.com/angryip/ipscan/security) of this
repository. This keeps the report confidential until a fix is released
and allows GitHub to assign a CVE on request.

> **Note for maintainers:** If the "Report a vulnerability" button is not
> visible, enable **Private vulnerability reporting** under
> Settings → Code security and analysis.

**Alternative — Email:**
Contact the maintainer directly at `[maintainer email]` if the button
above is unavailable.


## What to Include

- Description of the vulnerability and its potential impact
- Affected version(s)
- Steps to reproduce, or a proof-of-concept
- Suggested remediation (optional but welcome)


## Response Timeline

| Milestone | Target |
|-----------------------------|---------|
| Acknowledgement of receipt | 14 days |
| Initial triage | 30 days |
| Fix or remediation plan | 90 days |

We follow a **90-day coordinated disclosure** window from the date of
acknowledgement. Please allow this time before publishing vulnerability
details publicly.

If no acknowledgement is received within 14 days, please follow up by
email or escalate to [MITRE](https://cveform.mitre.gov/).


## Scope

- Vulnerabilities in Angry IP Scanner application code
- Security issues in exported file formats (SQL, XML, CSV) that cause harm
when the exported file is imported into a database or other tool
- Vulnerabilities in bundled third-party dependencies


## Out of Scope

- Issues requiring physical access to the user's machine
- Vulnerabilities in operating system or JVM components not shipped with
the application