Skip to content

Security: GSA/site-scanning-engine

Security

docs/SECURITY.md

Security

As part of a U.S. government agency, the General Services Administration (GSA)'s Technology Transformation Services (TTS) takes seriously our responsibility to protect the public's information, including financial and personal information, from unwarranted disclosure.

Reporting security vulnerabilities

We want security researchers to feel comfortable reporting vulnerabilities they've discovered, as set out in this policy, so that we can fix them and keep our information safe.

This website follows TTS’s Vulnerability disclosure policy.

Keeping dependencies up-to-date

The Open Web Application Security Project (OWASP) curates a list of the Top 10 Most Critical Web Application Security Risks, and Using Components with Known Vulnerabilities has been on it the past seven years. We can, should, and must keep our dependencies up-to-date.

What you need to do

GitHub’s automated security alerts are enabled for this repository. All security alerts should be acted upon within two days, as requested by the TTS Tech Portfolio.

Acting means:

  • Updating the dependency to resolve the security issue.
  • Removing the vulnerable dependency or moving to a different comparable dependency to avoid the security issue.
  • Dismissing the security alert with “Risk is tolerable to this project."
    • All security alerts dismissed in this way must be documented with a closed issue linking to the vulnerability and explaining why the risk is tolerable.

There aren’t any published security advisories