Last updated: August 3, 2021
In the interest and commitment to the security of our users, the Skytable team has issued this document, titled the 'Security Policy'. Any vulnerabilities and/or exposures directly/indirectly involving the use of Skytable must be reported in compliance with this document.
- First prepare an MCVE to exploit the vulnerability
- Move your MCVE into a new directory and create a file
EXPLOIT.txt
- Within the
EXPLOIT.txt
file, describe:- What version/tag/commit was exploited
- A description of the exploit and its impact
- How to run your MCVE (incl. required frameworks/dependencies/tools/et cetera)
- Also at the end of the
EXPLOIT.txt
file, write an affirmation:replacingI, <NAME> affirm that all information provided here is correct to my knowledge and I will comply and coordinate with the team as required. I also acknowledge that I am making this submission as a voluntary effort.
<NAME>
with your real name. - Compress your files into a ZIP archive
- Encrypt the ZIP archive using our PGP public key linked below.
- Email the archive to: security@skytable.io. DO NOT include any information in the email body/subject because
e-mail is insecure. Set the subject line to
[SECURITY EXPLOIT] [DD-MM-YYYY]
.
You will be acknowledged in the report for your discovery of the exploit and will also be mentioned in the CVE report filed (if any).
- You/we discover and report a vulnerability
- The team acknowledges it (usually through an e-mail) and creates an internal ticket within 24 hours
- The team coordinates with itself/you to prepare a hotfix
- The hotfix is released and the time of release is noted
- 48 hours after the hotfix has been released, the vulnerability is disclosed
- A CVE and/or a Security Advisory is issued and released to the public.
- You may not disclose anything before the team publicly discloses the vulnerability
- You agree that this is voluntary work
The most recent 'stable channel' release (i.e not a pre-release as per Semver) receives a security hotfix and a patch will be released for older versions who need to deploy a fix.
Our PGP public key can be found here. To encrypt your ZIP file:
wget https://keys.openpgp.org/vks/v1/by-fingerprint/DA60821CD47EDCC9FF4702AF66F326F3B98EAF90 -O skytable.pgp # download the key
gpg --import skytable.pgp # import the key
gpg --output <ZIPFILE>.encrypted.zip --encrypt <ZIPFILE>.zip --recipient nandansayan@outlook.com # encrypt the archive
Replace <ZIPFILE>
with the name of your ZIP file. The output file will be <ZIPFILE>.encrypted.zip
and this is what you have to send to the provided e-mail