|
| 1 | +## Supported Versions |
| 2 | + |
| 3 | +We are committed to providing security updates for the current major and immediately preceding major version of the PLUSE platform. We strongly encourage all users to run a supported version. |
| 4 | + |
| 5 | +| Version | Status | Supported with Security Updates | |
| 6 | +| :--- | :--- | :--- | |
| 7 | +| **5.1.x (LTS)** | **Current Major Release** | :white_check_mark: | |
| 8 | +| **5.0.x** | **End-of-Life** | :x: | |
| 9 | +| **4.0.x** | **Previous Major Release** | :white_check_mark: | |
| 10 | +| **< 4.0** | **End-of-Life** | :x: | |
| 11 | + |
| 12 | +--- |
| 13 | + |
| 14 | +## Reporting a Vulnerability |
| 15 | + |
| 16 | +Security is a top priority for PLUSE, especially given our role in mission-critical predictive maintenance. We appreciate the community's effort in disclosing vulnerabilities responsibly. |
| 17 | + |
| 18 | +### How to Report |
| 19 | + |
| 20 | +To report a security vulnerability in the PLUSE platform, please **DO NOT** open a public GitHub issue. Instead, please follow these steps: |
| 21 | + |
| 22 | +1. Draft a detailed report that clearly describes the vulnerability, including: |
| 23 | + * The **version(s)** of PLUSE affected. |
| 24 | + * The **type** of vulnerability (e.g., SQL Injection, XSS, Remote Code Execution). |
| 25 | + * A **proof-of-concept** or steps required to reproduce the issue. |
| 26 | + * The **impact** of the vulnerability on data confidentiality, integrity, or availability. |
| 27 | +2. Submit the report privately to the core development team via email at: **`security-pluse@iitk-phm.edu`** (Substitute with your actual security contact email). |
| 28 | +3. Please encrypt your email with our PGP key, which can be found [here](Link_to_PGP_Key). (Optional, but highly recommended). |
| 29 | + |
| 30 | +### Response and Triage Process |
| 31 | + |
| 32 | +1. **Acknowledgement:** You should receive an initial acknowledgement of your report within **48 hours** (two business days). |
| 33 | +2. **Triage:** The PLUSE Security Team will triage the vulnerability to assess its severity and validity. We aim to provide a status update on the report's acceptance or decline within **5 business days** of acknowledgement. |
| 34 | +3. **Acceptance:** If the vulnerability is accepted: |
| 35 | + * We will work internally to develop a patch. |
| 36 | + * We will provide you with an expected timeline for the fix and the release of the security update. |
| 37 | + * We request that you **keep the vulnerability confidential** until we have released the official fix to allow our users time to update their systems. |
| 38 | +4. **Declined:** If the vulnerability is declined (e.g., if it is non-reproducible, low impact, or not considered a security bug): |
| 39 | + * We will provide a brief explanation for the decision. |
| 40 | + * If you believe the issue warrants further attention, you may discuss it further with the team via the same private channel. |
| 41 | + |
| 42 | +### Severity and Timelines (Disclosure Policy) |
| 43 | + |
| 44 | +We follow the standard CVSS (Common Vulnerability Scoring System) to determine the severity and prioritize remediation. |
| 45 | + |
| 46 | +| Severity | Time to Remediation Target (After Acceptance) | Disclosure Protocol | |
| 47 | +| :--- | :--- | :--- | |
| 48 | +| **Critical** | **7 days** | Immediate release of patch and advisory. | |
| 49 | +| **High** | **14 days** | Release of patch and advisory. | |
| 50 | +| **Medium** | **30 days** | Remediation targeted for the next maintenance release. | |
| 51 | +| **Low** | **90 days** | Remediation targeted for a future release. | |
| 52 | + |
| 53 | +We are committed to public disclosure once a patch is available. We will credit the researcher who reported the vulnerability, unless they wish to remain anonymous. |
0 commit comments