Skip to content

Latest commit

 

History

History
54 lines (31 loc) · 2.56 KB

SECURITY.md

File metadata and controls

54 lines (31 loc) · 2.56 KB

Security Policy

The Defence Digital Digital Standards Policy is to avoid leaving the ecosystem worse than we found it. Meaning we are not planning to introduce vulnerabilities into the ecosystem.

The Defence Digital Digital Standards team takes security vulnerabilities in the MOD.UK Design System seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

Supported Versions

The below table details which versions of the MOD.UK Design System are supported with bug fixes and security updates:

Version Supported
2.x
1.x

Version and release note documentation

Reporting a Vulnerability

Please report vulnerabilities to us using the guidelines outlined below.

To report a security issue, email [email protected] include the word "SECURITY" in the subject line.

Please include:

  • Your name and affiliation (if any)
  • A brief description of the vulnerability
  • The website page or repository component where the vulnerability exists
  • Steps to identify the vulnerability. It is important that we can reproduce your findings.
  • Optionally the type of vulnerability and any OWASP category

The Defence Digital Digital Standards team will send a response indicating the next steps in handling your report. After the initial reply to your report, the team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

Qualifying Vulnerabilities

Any reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include Cross-site scripting (XSS), Server-side code injection (SSI), Cross-site request forgery (CSRF), Server-side request forgery (SSRF), Remote code execution (RCE), Sensitive data exposure and privilege escalation.

The following are not in scope: volumetric vulnerabilities, for example overwhelming a service with a high volume of requests

Usage Recommendations

We recommend following the OWASP guidance for developing secure Node.js applications

Known Security Gaps & Future Enhancements

We will publish here any known security improvements we have not got to yet. We welcome contributions.

Contact

[email protected]

Defence Digital Digital Standards security policy version 1.1.0