2023-07-26 09:21:26 -04:00
|
|
|
# Security Policy
|
|
|
|
|
|
|
|
This is a project of the [Apache Software Foundation](https://apache.org) and follows the
|
|
|
|
ASF [vulnerability handling process](https://apache.org/security/#vulnerability-handling).
|
|
|
|
|
|
|
|
## Reporting Vulnerabilities
|
|
|
|
|
|
|
|
**⚠️ Please do not file GitHub issues for security vulnerabilities as they are public! ⚠️**
|
|
|
|
|
|
|
|
|
|
|
|
Apache Software Foundation takes a rigorous standpoint in annihilating the security issues
|
|
|
|
in its software projects. Apache Superset is highly sensitive and forthcoming to issues
|
|
|
|
pertaining to its features and functionality.
|
|
|
|
If you have any concern or believe you have found a vulnerability in Apache Superset,
|
2023-11-22 05:31:32 -05:00
|
|
|
please get in touch with the Apache Superset Security Team privately at
|
|
|
|
e-mail address [security@superset.apache.org](mailto:security@superset.apache.org).
|
2023-07-26 09:21:26 -04:00
|
|
|
|
|
|
|
More details can be found on the ASF website at
|
|
|
|
[ASF vulnerability reporting process](https://apache.org/security/#reporting-a-vulnerability)
|
|
|
|
|
|
|
|
We kindly ask you to include the following information in your report:
|
|
|
|
- Apache Superset version that you are using
|
|
|
|
- A sanitized copy of your `superset_config.py` file or any config overrides
|
|
|
|
- Detailed steps to reproduce the vulnerability
|
|
|
|
|
|
|
|
Note that Apache Superset is not responsible for any third-party dependencies that may
|
|
|
|
have security issues. Any vulnerabilities found in third-party dependencies should be
|
|
|
|
reported to the maintainers of those projects. Results from security scans of Apache
|
|
|
|
Superset dependencies found on its official Docker image can be remediated at release time
|
|
|
|
by extending the image itself.
|
|
|
|
|
|
|
|
**Your responsible disclosure and collaboration are invaluable.**
|
|
|
|
|
|
|
|
## Extra Information
|
|
|
|
|
|
|
|
- [Apache Superset documentation](https://superset.apache.org/docs/security)
|
|
|
|
- [Common Vulnerabilities and Exposures by release](https://superset.apache.org/docs/security/cves)
|
|
|
|
- [How Security Vulnerabilities are Reported & Handled in Apache Superset (Blog)](https://preset.io/blog/how-security-vulnerabilities-are-reported-and-handled-in-apache-superset/)
|