-
Notifications
You must be signed in to change notification settings - Fork 28
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
incident-disclosure: add Incident Disclosure and Notification policy (#…
…12) * incident-disclosure: add Incident Disclosure and Notification policy New policy to document our commitments to disclosing security incidents and the exact process for notifying users. * Apply suggestions from code review Co-authored-by: Maya Kaczorowski <15946341+mayakacz@users.noreply.github.com> --------- Co-authored-by: Maya Kaczorowski <15946341+mayakacz@users.noreply.github.com>
- Loading branch information
Showing
3 changed files
with
44 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
--- | ||
title: Incident disclosure and notification policy | ||
slug: incident-disclosure | ||
policy: true | ||
faq: false | ||
weight: 13 | ||
--- | ||
|
||
This policy specifies when and how we notify users about security incidents. | ||
|
||
Both the client software and our managed backend infrastructure (i.e. coordination server) are in scope for this policy. | ||
|
||
For incidents that fall under any legal disclosure requirements (such as [California’s Data Security Breach Reporting](https://oag.ca.gov/privacy/databreach/reporting)), those requirements will take precedence over this policy. | ||
|
||
By “notify” here we mean explicitly contacting users in addition to regular release notes in the [changelog](https://tailscale.com/changelog/) and GitHub commit history. For example, you may read about minor vulnerability patches in release notes, but we may not notify users via a dedicated security bulletin. | ||
|
||
### When we notify users | ||
|
||
Generally, we aim to reduce noise and only notify users for actionable incidents. Tailscale does not notify users for routine security patching of dependencies. We also don’t notify users for vulnerabilities in our software, if we confirm the vulnerability was not exploited and no users were affected. | ||
|
||
We will **disclose** a security vulnerability **when a fix is available** and any of the following is true: | ||
|
||
* User action is needed to fix the vulnerability, e.g. updating the client software, or applying another mitigation; | ||
* We can confirm that tailnet metadata or data was visible to an unauthorized party; or | ||
* We cannot confirm that no users were affected by the vulnerability. | ||
|
||
We will **notify users directly** about a security vulnerability when we can confirm that the tailnet was affected, and any of the following is true: | ||
|
||
* User action is needed to fix the vulnerability, and it is a critical or high impact vulnerability; or | ||
* We can confirm that tailnet metadata or data was visible to an unauthorized party. | ||
|
||
### How we notify users | ||
|
||
To disclose security vulnerabilities, Tailscale publishes security bulletins publicly for a broad audience at [https://tailscale.com/security-bulletins/](https://tailscale.com/security-bulletins/). These can be consumed directly, via RSS readers or via social media bot accounts. | ||
|
||
To notify users about security vulnerabilities, Tailscale will **email** affected tailnets’ administrators, with information specific to the tailnet, including specific users or nodes which are affected. These emails will be sent to the [security contact](https://tailscale.com/kb/1224/contact-preferences/#setting-the-security-issues-email) for the tailnet, which by default is the Owner of the tailnet. | ||
|
||
Occasionally, Tailscale may decide to notify users in additional ways about a security issue, such as by publishing a [blog post](https://tailscale.com/blog/), or with in-product notifications by putting a warning banner in the admin console. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters