This document houses information about the Dynamoose Security Policy.
While reading this document, please remember that the LICENSE takes priority over this document. For example, the fact that this software is provided as is without warranty of any kind, and in no event shall the authors be liable for any claim, etc.
You can find the list of supported versions that will receive security updates on the Dynamoose website under the Maintained Versions page.
Security updates will be included in either patch or minor versions.
In the event a security vulnerability is patched in a major version, it will also be back-ported to all supported version lines (in the event the vulnerability exists on previous version line).
Security vulnerabilities will only be back-ported to previous minor versions in the extremely unlikely event a minor version causes a breaking change and someone requests the patch to be backwards applied, and demonstrates the breaking change. If this occurs please contact me with your request.
You can report security vulnerabilities by using my contact page (https://charlie.fish/contact).
For security purposes, please follow the following guidelines:
- Ensure all sites you access while reporting a vulnerability are accessed using SSL/HTTPS.
- Encrypt all vulnerability information using my Keybase (Keybase link can also be found on my contact page) encryption keys.
- For ease of use, please include a method to contact you un-encrypted in your message. In the event decryption of your message fails, I need a way to contact you to notify you of the decryption failure.
You can expect to receive an initial receipt of your report within 48 business hours of submission (exception to this is holiday periods). In the event you don't receive an initial receipt of your report within that time frame please contact me again (I suggest using un-encrypted communication for this second communication, but the choice is yours).
During the vulnerability process, I will keep you informed and may ask follow up questions regarding your report, so please ensure you remain available until a fix is deployed.