From cbff3e4fd458b3dabd4c9ff6c28ea277db2db0b4 Mon Sep 17 00:00:00 2001 From: Pavel Boldyrev <627562+bpg@users.noreply.github.com> Date: Sun, 9 Feb 2025 22:35:45 -0500 Subject: [PATCH] chore(docs): add security policy (#1758) This commit introduces a detailed SECURITY.md file that outlines: - Supported version policy for security patches - Vulnerability reporting process - Disclosure and handling procedures - Security best practices for using the provider - Additional security resources and references The new security policy provides clear guidance for users and contributors on how security issues are managed and mitigated. Signed-off-by: Pavel Boldyrev <627562+bpg@users.noreply.github.com> --- .github/SECURITY.md | 75 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 .github/SECURITY.md diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 00000000..0963dcc5 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,75 @@ +# Security Policy + +## Supported Versions + +We release patches for security vulnerabilities for the following versions: + +| Version | Supported | +|-----------------------------------|--------------------| +| Latest release | :white_check_mark: | +| Previous minor release | :white_check_mark: | +| Older than previous minor release | :x: | + +## Reporting a Vulnerability + +We take the security of the Terraform Provider for Proxmox and its users seriously. If you believe you have found a security vulnerability, please report it to us privately. + +**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** + +Instead, please send an email to [bpg.github.com.tn75g@passmail.net](mailto:bpg.github.com.tn75g@passmail.net) or report it through GitHub's Security Advisory feature: + +1. Go to +2. Provide a descriptive title +3. Fill in a detailed description of the issue +4. Click "Submit report" + +Please include the following information in your report: + +- Description of the vulnerability +- Steps to reproduce the issue +- Potential impact of the vulnerability +- Suggested fix if possible +- Your name/handle for credit (optional) + +## What to Expect + +When you submit a vulnerability report, you can expect: + +- Acknowledgment of your report within 48 hours +- Regular updates about our progress +- Credit for discovering the vulnerability (if desired) + +## Disclosure Policy + +When we receive a security bug report, we will: + +1. Confirm the problem and determine the affected versions +2. Audit code to find any potential similar problems +3. Prepare fixes for all supported versions +4. Release new versions and notify users + +## Security-Related Configuration + +When using this provider, please follow these security best practices: + +1. **API Credentials**: + - Use environment variables or encrypted credential files to store sensitive information + - Never commit API tokens or credentials to version control + - Use the most restrictive permissions possible for API users + +2. **Network Security**: + - Use HTTPS/TLS for all API connections + - Configure appropriate firewall rules + - Use private networks where possible + +3. **State File Security**: + - Encrypt your Terraform state files + - Use remote state with appropriate access controls + - Be cautious with state file contents as they may contain sensitive information + +## Additional Information + +For more information about security practices when using this provider, please refer to: + +- [Terraform Security Best Practices](https://www.terraform.io/docs/cloud/guides/recommended-practices/security.html) +- [Proxmox Security Documentation](https://www.proxmox.com/en/proxmox-ve/security)