Skip to content

Security: micromatch/picomatch

Security

SECURITY.md

Security Policy

  1. Reporting vulnerabilities
  2. Security Point of Contact
  3. Incident Response Process
  4. Additional Information

Pull requests to improve this document are welcome and appreciated.


Reporting vulnerabilities

DO NOT CREATE AN ISSUE to report a vulnerability.

Instead, please send an email to github@sellside.com. See Responsible Disclosure for more details.


Security Point of Contact

After you send an email to github@sellside.com, you should receive a response from Jon Schlinkert or Brian Woodward within one business day.


Incident Response Process

When incidents are discovered or reported, we adhere to the following process to contain, respond and remediate:

1. Containment

The first step is to find out the root cause, nature and scope of the incident.

  • Is it still ongoing? If yes, first priority is to fix it.
  • Is the incident outside of our control or influence? If yes, first priority is to contain it.
  • Find out knows about the incident and who is affected.

2. Response

After the initial assessment and containment to our best abilities, we will document all actions taken, in one or all of the following documents, depending on the nature and severity of the issue:

  • CHANGELOG
  • Dedicated issue (pinned if necessary)
  • Deprecation notice(s) for any versions affected by the issue

3. Remediation

When applicable, once the incident is confirmed to be resolved, we will summarize the lessons learned from the incident and create a list of actions we will take to prevent it from happening again.


Professional support for Micromatch

All micromatch projects are:

  • open source
  • made available under the permissive copy-left MIT License
  • supported by software developers in their free time

Additional information

You can learn about critical software updates and security threats from these sources:

  1. GitHub Security Alerts
  2. Greenkeeper Dependency Updates
  3. GitHub: https://status.github.com/ & @githubstatus
  4. Zeit (Hosting): https://zeit-status.co/ & @zeit_status
  5. Travis (CI/CD): https://www.traviscistatus.com/ & @traviscistatus

There aren’t any published security advisories