|
831
by Francois Marier
Document how to report security bugs |
1 |
# Reporting security bugs
|
2 |
||
3 |
Here are some security-related information for Libravatar.org and the |
|
4 |
Libravatar protocol. |
|
5 |
||
6 |
## Bugs in the Libravatar.org service
|
|
7 |
||
8 |
There are two ways to report security bugs in the Libravatar service: |
|
9 |
||
10 |
1. [File a bug on the tracker](https://bugs.launchpad.net/libravatar/+filebug) with a "Private Security" visibility. |
|
11 |
2. Email Francois Marier at `security@libravatar.org` |
|
12 |
||
13 |
## Bugs in the Libravatar protocol
|
|
14 |
||
15 |
For bugs in the Libravatar federated protocol itself, please email `security@libravatar.org`.
|
|
16 |
||
17 |
## Bugs in third-party libraries
|
|
18 |
||
19 |
If you find a bug in a [third-party library](http://wiki.libravatar.org/libraries/), |
|
20 |
please email its author directly, but feel free to CC `security@libravatar.org`.
|
|
21 |
||
22 |
# Acknowledgment
|
|
23 |
||
24 |
If you email `security@libravatar.org`, we will do our best to acknowledge your
|
|
25 |
email within 48 hours. If you haven't heard from us, please try again or ping |
|
26 |
us through [another channel](http://wiki.libravatar.org/talk_to_us/). |
|
27 |
||
28 |
# Disclosure policy
|
|
29 |
||
30 |
It is of course up to you whether or not you publicize the security |
|
31 |
vulnerability you have discovered, but we do ask that you please give us a |
|
32 |
bit of time to deploy a fix before you discuss your findings publicly. |