From 0c5532d8b51d9cd3fab9a1032173352d4db589d1 Mon Sep 17 00:00:00 2001
From: BlackDex <black.dex@gmail.com>
Date: Sat, 26 Jun 2021 11:49:00 +0200
Subject: [PATCH] Adding a SECURITY.md

---
 .github/security-contact.gif | Bin 0 -> 2364 bytes
 .github/workflows/build.yml  |   2 ++
 SECURITY.md                  |  45 +++++++++++++++++++++++++++++++++++
 3 files changed, 47 insertions(+)
 create mode 100644 .github/security-contact.gif
 create mode 100644 SECURITY.md

diff --git a/.github/security-contact.gif b/.github/security-contact.gif
new file mode 100644
index 0000000000000000000000000000000000000000..0e6e449029d0a3b4716b202aba73d812e4cba18d
GIT binary patch
literal 2364
zcmV-C3B&eBNk%w1VL$;50QUd@000010RaL60s{jB1Ox;I1_lQQ2M7oV2?+@b3JMDg
z3k?ko4-XFz5D*a&5fc*=6ciK{6%`g178e&67#J8C85tTH8XFrM92^`S9UUGX9v>ec
zARr(iAt53nA|oRsBqSsyB_$>%CMPE+C@3f?DJd!{Dl021EG#T7EiEoCE-x=HFfcGN
zF)=bSGBYzXG&D3dH8nOiHa9mnI5;>tIXOByIy*Z%JUl!-Jv}}?K0iM{KtMo2K|w-7
zLPJACL_|bIMMXwNMn^|SNJvOYNl8jdN=r*iOiWBoO-)WtPESuyP*6}&QBhJ-Qd3h?
zR8&+}R#sP6S6EnBSy@?HT3TCMTU=aRU0q#XUS3~cUtnNhVPRonVq#-sV`OAxWo2b%
zW@cw+XJ}|>X=!O{YHDk1Yiw+6ZEbCCZf<XHZ*g&Pa&mHXbaZufb#``kcXxMqczAhv
zd3t(!dwY9)e0+U<eSUs^e}8{~fPjI4fr5g9gM)*FgoK5Kg@%TPhlhuVh=_@aiHeGf
zi;IhljEs$qjgF3vkB^U#kdTp)k&=><larH_l$4c~m6n#4mzS5An3$QFnVXxNot>SY
zo}QndpP-<ip`oFoqN1dvq@|^$r>Cc=sHmx_sj8}~tE;Q5tgNlAt*)-FudlDLu&}YQ
zv9hwVv$M0bw6wLgwYIjlx3{;rxVX8wxw^W#ySux*yu7`=y}rJ_zrVl0z`()5!NS7A
z!^6YG#KgtL#m2_Q$H&LW$jHgb$;!&g%gf8m%*@Tr&Cbrw&(F`$(9qG*(bCe=)6>(`
z)YR40)z;S5*VotB*x1?G+1lFL+uPgR+}z#W-QM2b-{0Th;Naom;o{=r<KyGx<mBb$
z<>uz*=jZ3>=;-O`>FVn0>+9?6?CkCB?e6aG@9*#M@bK~R@$&NW^Yioc^z`-h_4fAm
z_xJbs`1twx`TF|$`}_O+{QUj>{r>*`|Ns90000000000000000000000000000000
z0000000000A^8LV00000EC2ui06+l^000R80O<)FNU)&6g9sBUT*$DY!-o(fN}Ncs
zqQ#3CGgd^Dir_6$*))ob2y4;ElNz&;;)T*+wo>d`%A6^&2p@uhG89=zsv}K{h>#Fm
zgbbrKdfCjF2{e$`l{9A3Tq$~#rZ6Y~iV7@u2jw#WlSGoEhwO@(EjOEnG4o6yqA+Qo
zrlH5q-A{t-z!i*1mmoO4Tgw^j<z!(PH%JST1DueZV1n-SDz+=ID!H)&C1a+$Ss)EZ
z^s3TZoSE@KULvdrOr-#TGJ#u)qyi8tMpp}0OdGr`koVTj<uF^L?D@4oUMA@M?Twio
z@Xn-16C8WT(!l8SC`)FTrol6J04~A*y0Su`BMFxlDY!+ifu=MjZUG=iiUH_`%LPWx
zJiT{8Hyx}XLNE0A0Kf_>v>*X{x0s-V3HOmx1OR^&6pK&^l>&eQKA0d(Wdh=+P#7y1
zSRp-kbkKqb?2#pc2`c~qN;Uvkmqu3f^umA-R#;$yU1=zQAw7ryU;zy@gaiu!X5<J!
z7zu%cgb1Y!1kM(zTp^G&0+q*3RdQHx;z8CB;F>!O0Kk$JD<ByY9{|uLLI(t`VB9k%
z03d`2CV>M0hIi0L4|zyFwgmugn4o|r^pN7C4jF(#k2DB&umx-c&;a9O2u)&v8GN-c
z5E6_w@K`T&7R5`G#z`ZD39%^uB#a0mSTGkou>f#|6B6i<T?_$spyoiA>@+Ezp!h1m
zOP7wuPA?e{^ao-Dr7|Q!h+I+-l>#9l2SV%sz+Nh`g5rZf*+ffE2eH!Q1fz18L=O!t
z(IX!zp$*i_xdUC%Zoi0RmmETW)L2j&9SuAXod!*4oI%nI>_nB>jfI4D^q3%6ISSKb
z=RoBMQP391T(ZWz`i<p8SORt6>sAts6|ST!5J(RcH_<4N6#<h8fT#qCz}F;qWFzuG
zCWJ&!DNwisKnw|4(5?>mfikRKMKHDQw*y(x01`C#pa4CoGzoPomm*>U6iyI85FgYI
z6iZ<W-O+Pp77Qef2nq53Vnq=?v=xSsVJnbLHXRG(hP*n|Ypp@I@Y}6V*G21w)(1%g
z_P_KTIH9Bq8>Dtu3DHXr-^$UT!{FLx9Fsfc4fHX(P!nWHAU;T7$;srXJ~+no#IPAD
z#=2W207dAaLkB{E^YR~<i*5qx0tqe9B7BfjyFeLW#&kj8T+sr>1_=Z7(liKkN!;}0
zEs!N#Uw?GIr8FsODRVW@oBP*CPmeIoO2{2Z#}^A|B@F>A2r?*UiR4(~W%+84(vZQD
z%W;oO_R>;8ltDLvI01B=f=l`q!ixlbC>6JohUDmRJ|aor3dBK3EQ%n9o>}2U?`oM{
zgwZh{Y{nXi^V1doic}@E2m}g@5{M6oBMtrm02cJffX$RM8h!;rUI|%414wti4zMQ!
z6yw7P>9MNoKtTd51J|;Sm=;oui5^1enF!(sn-(~M1|l;MJtW|WR1m-&Lhu0+VgP`f
zfC32(5R$fdfrLCEAuR_%h6IEVgB8St7Z&hAn-XFP0QkTO9cY~yR&Ylh*o736gcKBo
z(SRaIfJyWKg#`fMgk}i?2{H1PKwu$(BA8%)ox|cnE+Gd$b&nnen+q=tB!mxT!wDE<
zh_D6%iVQ$O2n4WzUgXdL0|9_QYe2%&pec|Rgv|mi3J*Ev(<p0VGiL6v0s!#Xu0U9T
zk^tZvGE7kagehrDo*%LR|Dt4tXY@i(PO!kq=<y5-=pY6fb4v!8WS93eBo&$Dr+E_T
zgj=zr1ty3=10bn4UT6gwA9_YeK9r*mS)(o1FewF(0*+fCLm9kiOG3)Q3zq83rw9Ru
zFnZA$X_%BC<>&=a$q@@{l%p-u=mk#eMGl+d^kLaJDnYjQkY4m6Cd!bia->RBiI77y
zNa4j;dO;as#DX2q5R5Q*5!PF5#;crCnoiTY)*T|F7q{3>R%7B*yb9#6as}!_lG+Pi
zL{lJ2C5S;$DiL;Qm7%?$AW&oC2<qMCv!E@AH3AU>3552vs7)<Oq=AS(SYWTJjqORK
i!3RVcAfhv}&8=>COO`wQ;jz38u5gD-+~O)EAOJgW-~UYj

literal 0
HcmV?d00001

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 48b89cc1..26fcb663 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -15,6 +15,7 @@ on:
       - "tools/**"
       - ".github/FUNDING.yml"
       - ".github/ISSUE_TEMPLATE/**"
+      - ".github/security-contact.gif"
   pull_request:
     # Ignore when there are only changes done too one of these paths
     paths-ignore:
@@ -30,6 +31,7 @@ on:
       - "tools/**"
       - ".github/FUNDING.yml"
       - ".github/ISSUE_TEMPLATE/**"
+      - ".github/security-contact.gif"
 
 jobs:
   build:
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..95d87b78
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,45 @@
+Vaultwarden tries to prevent security issues but there could always slip something through.
+If you believe you've found a security issue in our application, we encourage you to
+notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!
+
+# Disclosure Policy
+
+- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every
+  effort to quickly resolve the issue.
+- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a
+  third-party. We may publicly disclose the issue before resolving it, if appropriate.
+- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or
+  degradation of our service. Only interact with accounts you own or with explicit permission of the
+  account holder.
+
+# In-scope
+
+- Security issues in any current release of Vaultwarden. Source code is available at https://github.com/dani-garcia/vaultwarden. This includes the current `latest` release and `main / testing` release.
+
+# Exclusions
+
+The following bug classes are out-of scope:
+
+- Bugs that are already reported on Vaultwarden's issue tracker (https://github.com/dani-garcia/vaultwarden/issues)
+- Bugs that are not part of Vaultwarden, like on the the web-vault or mobile and desktop clients. These issues need to be reported in the respective project issue tracker at https://github.com/bitwarden to which we are not associated
+- Issues in an upstream software dependency (ex: Rust, or External Libraries) which are already reported to the upstream maintainer
+- Attacks requiring physical access to a user's device
+- Issues related to software or protocols not under Vaultwarden's control
+- Vulnerabilities in outdated versions of Vaultwarden
+- Missing security best practices that do not directly lead to a vulnerability (You may still report them as a normal issue)
+- Issues that do not have any impact on the general public
+
+While researching, we'd like to ask you to refrain from:
+
+- Denial of service
+- Spamming
+- Social engineering (including phishing) of Vaultwarden developers, contributors or users
+
+Thank you for helping keep Vaultwarden and our users safe!
+
+# How to contact us
+
+- You can contact us on Matrix https://matrix.to/#/#vaultwarden:matrix.org (user: `@danig:matrix.org`)
+- You can send an ![security-contact](/.github/security-contact.gif) to report a security issue.
+  - If you want to send an encrypted email you can use the following GPG key:<br>
+    https://keyserver.ubuntu.com/pks/lookup?search=0xB9B7A108373276BF3C0406F9FC8A7D14C3CD543A&fingerprint=on&op=index