|
@@ -0,0 +1,20 @@
|
|
|
|
|
+# O3DE Security Policy
|
|
|
|
|
+
|
|
|
|
|
+## Reporting a Vulnerability
|
|
|
|
|
+If you have information about a security issue or vulnerability in O3DE, please send the vulnerability report via e-mail to [[email protected]](mailto:[email protected]).
|
|
|
|
|
+
|
|
|
|
|
+> **_NOTE:_** Please avoid creating GitHub issues, unless the vulnerability is already publicly disclosed, for example it has been reported in the [National Vulnerability Database](https://nvd.nist.gov/).
|
|
|
|
|
+
|
|
|
|
|
+The vulnerability report should include as much detail as possible, including:
|
|
|
|
|
+
|
|
|
|
|
+- All relevant fields from the O3DE standard [issue template](https://github.com/o3de/o3de/blob/development/.github/ISSUE_TEMPLATE/bug_template.md).
|
|
|
|
|
+
|
|
|
|
|
+- A detailed description of the vulnerability we can use to reproduce your findings.
|
|
|
|
|
+
|
|
|
|
|
+- A definition of who can exploit this vulnerability and what they would gain.
|
|
|
|
|
+
|
|
|
|
|
+- Information about any known exploits.
|
|
|
|
|
+
|
|
|
|
|
+A member of the [SIG-Security](https://github.com/o3de/sig-security/) Issue Response Team will review your e-mail and contact you to collaborate on resolving the issue.
|
|
|
|
|
+
|
|
|
|
|
+For more details, please refer to the [Security Documentation](https://www.o3de.org/docs/contributing/security) for O3DE.
|
Pip Potter