From 38a5e4334be7c12778976e8900e427827bb57288 Mon Sep 17 00:00:00 2001
From: Jonah Aragon <jonah@triplebit.net>
Date: Thu, 20 Jun 2019 16:24:02 -0500
Subject: [PATCH 1/2] Add Security Policy

As recommended in #988
---
 .well-known/security.txt |  1 +
 SECURITY.md              | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/.well-known/security.txt b/.well-known/security.txt
index b4cc04d6..6e804b30 100644
--- a/.well-known/security.txt
+++ b/.well-known/security.txt
@@ -2,3 +2,4 @@ Contact: admin@privacytools.io
 Encryption: https://www.jonaharagon.com/keys/
 Preferred-Languages: en
 Canonical: https://www.privacytools.io/.well-known/security.txt
+Policy: https://github.com/privacytoolsIO/privacytools.io/security/policy
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..b3c05bfe
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,32 @@
+# Security Policies and Procedures
+
+This document outlines security procedures and policies for the `privacytools.io` repository/code and all services hosted by privacytools.io, such as Mastodon, Matrix, Riot, et cetera.
+
+## Reporting a Bug
+
+We take all security bugs related to our code and our infrastructure very seriously. Thank you for improving the security of our projects and services. We appreciate your efforts and responsible disclosure, and will make every effort to acknowledge your contributions.
+
+Report any security bugs by emailing the services administrator at [admin@privacytools.io](mailto:admin@privacytools.io).
+
+The administrative team will acknowledge your message within 48 hours, and will provide a detailed response within 72 hours detailing the next steps for handling your report. After our initial reply we will make every effort to keep you informed of the progress towards a fix and announcement, and we may ask for additional information or guidance.
+
+Please report any security bugs in third-party projects to the person or team maintaining that project.
+
+The following are out of scope and should **not** be performed:
+
+* Excessive Automated Scans
+* Denial of Service Attacks
+* Social Engineering Attacks
+* Reports against infrastructure outside our control
+
+## Disclosure Policy
+
+When we receive a security report, that report will be assigned to an administrative team member. That person will coordinate the fix, release, and announcement process, involving the following steps:
+
+1. Confirm the problem and determine affected services.
+2. Audit infrastructure and/or code to find any potential similar problems.
+3. Prepare fixes for all releases currently in production, which will be implemented as quickly as possible.
+
+## Comments on this Policy
+
+Please open a Pull Request or Issue if you would like to discuss any changes to this policy.
-- 
2.47.2


From ad344be456504a6f309d860c1d280917f6f4f39d Mon Sep 17 00:00:00 2001
From: Jonah Aragon <jonah@triplebit.net>
Date: Fri, 21 Jun 2019 19:13:13 -0500
Subject: [PATCH 2/2] Update SECURITY.md

- Don't condone attacks against live user accounts/data: https://github.com/privacytoolsIO/privacytools.io/pull/1001#issuecomment-504210270
- Add announcement process if user data is affected: https://github.com/privacytoolsIO/privacytools.io/pull/1001#discussion_r296408553
---
 SECURITY.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index b3c05bfe..1d363102 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -12,12 +12,13 @@ The administrative team will acknowledge your message within 48 hours, and will
 
 Please report any security bugs in third-party projects to the person or team maintaining that project.
 
-The following are out of scope and should **not** be performed:
+The following are out of scope and should **not** be attacked/performed:
 
 * Excessive Automated Scans
 * Denial of Service Attacks
 * Social Engineering Attacks
 * Reports against infrastructure outside our control
+* User or admin accounts not owned by the tester
 
 ## Disclosure Policy
 
@@ -27,6 +28,8 @@ When we receive a security report, that report will be assigned to an administra
 2. Audit infrastructure and/or code to find any potential similar problems.
 3. Prepare fixes for all releases currently in production, which will be implemented as quickly as possible.
 
+Additionally, if user data was directly affected or compromised, we will inform affected users to the best of our ability via email and/or a website notification with more information about the incident.
+
 ## Comments on this Policy
 
 Please open a Pull Request or Issue if you would like to discuss any changes to this policy.
-- 
2.47.2