diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..3a723f89d --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,56 @@ +# Security Policy + +## Supported Versions + +The [most recent Annif major/minor release](https://github.com/NatLibFi/Annif/releases) +is considered supported, +in the sense that if a serious bug or vulnerability is encountered in it, +we relase a patch to fix the issue. + +Generally, we aim to update all dependencies to their latest versions on each Annif major/minor release. +However, note that most of the [dependencies of a given Annif release](https://github.com/NatLibFi/Annif/blob/main/pyproject.toml) +are pinned only on minor version level, so patch level fixes of (most) dependencies can be applied to an Annif installation, +by either manually updating the outdated packages or recreating the virtual environment from scratch and reinstalling Annif. + +### Docker image +We rebuild and publish a new Docker image of the latest Annif release in the +[quay.io repository](https://quay.io/repository/natlibfi/annif?tab=info) +when it is considered necessary in order to update both system packages and Annif dependencies of the image. +A new image is published about once every month. + +The security scanner that is used on quay.io is +[Clair](https://access.redhat.com/documentation/en-us/red_hat_quay/3/html/about_quay_io/clair-vulnerability-scanner). +You can see the vulnerabilities detected in an image by navigating via the link in the Security Scan column of the [tags view](https://quay.io/repository/natlibfi/annif?tab=tags), +see the screenshot below. + +The scanner typically detects many vulnerabilities, that is several tens, in the packages of the images, even when they have been rebuild recently. +However, there exist patches for only some of the vulnerabilities, +and due to the way that Annif uses the dependencies, most of the detected vulnerabilities +do not apply to Annif use. + + + +## Reporting a Vulnerability + +We value your findings, and we would be grateful if you report +any concerns or vulnerabilities by email to **`finto-posti@helsinki.fi`**. +_Do not create a GitHub issue for security vulnerabilities_. +Note that Annif team is a part of the larger Finto team, +which has resources for the contact service throughout the year. + +If the security vulnerability is in a third-party software library, +please report it also to the team maintaining it. + +Each security concern will be assigned to a handler from our team, +who will contact you if there is a need for additional information. +We confirm the problem and keep you informed of the fix. + +To facilitate a quick and accurate response make sure to include the following details when submitting your report: + +- A clear and descriptive title that outlines the report's subject and the software it pertains to (Annif). +- The version(s) of Annif, its dependencies and the (possible) other related software that contribute to the vulnerability. +- Break down the technical aspects of the vulnerability in your description. +- A minimal example showcasing the vulnerability. +- An explanation who has the potential to exploit this vulnerability and the benefits they would derive from doing so. +- Whether the vulnerability is public knowledge or known to third parties, and if so, share relevant details. +- (A remediation suggestion if you have have one.)