- Notifications
You must be signed in to change notification settings - Fork2.5k
Security document update#8233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:main
Are you sure you want to change the base?
Uh oh!
There was an error while loading.Please reload this page.
Conversation
b8409e9 to2ba4609Compare…mer to SECURITY.md document Signed-off-by: Kuljot Biring <ksbiring1@gmail.com>
…ext, bold text for bottom of disclaimer Signed-off-byL Kuljot Biring <ksbiring1@gmail.com>
2ba4609 to4231261Comparekingthorin commentedDec 9, 2023
To address the DCO requirement you'll need to sign-off the commit(s): |
cyber-0ps commentedDec 9, 2023
I agree withdevelopercertificate.org. |
kingthorin left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I'm not sure this is necessary or the correct place but here's a first quick review
| @@ -1,3 +1,4 @@ | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
This white space change is unnecessary
| ##Reporting a Bug | ||
| Please report any bugs via our issue[Bug Issue Tracker](https://github.com/zaproxy/zaproxy/issues/new/choose) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Drop “issue” before the link
| ##Security Advisories | ||
| Currently, there are not any published security advisories. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I’m don’t think this is true/accurate, I’d have to go digging. Pretty sure we have/had at least one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
We have had some security bugs reported which we've fixed, but we have not published ny security advisories.
Maybe we should...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I thought one or two had assigned CVEs (via the reporter not us), which I was lumping into the 'advisory' category.
| All rules are contained in add-ons so that they can be updated quickly and easily. | ||
| Active scanning is an attack on those targets. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
What targets? The text was just talking about scan rules
| You should NOT use it on web applications that you do not own. | ||
| It should be noted that active scanning can only find certain types of vulnerabilities. | ||
| Logical vulnerabilities, such as broken access control, will not be found by any active or automated vulnerability scanning. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
This isn’t really true, you can use the Access Control add-on to scan for those. It would be more realistic to say something about business logic issues.
| All rules are contained in add-ons so that they can be updated quickly and easily. | ||
| Active scanning is an attack on those targets. | ||
| You should NOT use it on web applications that you do not own. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
The note below is more accurate, you don’t have to own it to be authorized to asses something
| 2. Legality and Compliance: You alone are responsible for ensuring that your use of Zaproxy complies with all applicable laws, regulations, and ethical standards. Please follow the applicable legal requirements and industry best practices at all times. | ||
| 3. Privacy and Data Protection: When using Zaproxy, refrain from engaging in activities that compromise the privacy or security of data, PII and other sensitive data. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
PII and sensitive data are data. This should be shortened
thc202 commentedDec 9, 2023
I agree. |
| By using Zaproxy, you agree to comply with the terms and conditions below. Terms and conditions may be subject to change or modification at any time. Users are responsible for reviewing the terms regularly to ensure compliance with the latest version. | ||
| 1. Authorized Usage: You may only use Zaproxy for the purpose of assessing the security of web applications for which you have explicit and authorized access, permission, or ownership. Unauthorized scanning is strictly prohibited and unlawful. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
We never useZaproxy in this context, so this should beZAP.
https://www.zaproxy.org/docs/developer/dev-rules-and-guidelines/#style-guidelines
| 5. Use of this tool may cause disruption or unintended consequences to web applications and systems. The user is responsible for any damages or issues that may arise during or after the use of this tool. | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Zaproxy would cannot be held responsible legally for any misuse of the product, not permitted by Zaproxy policy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I prefer the existing text.
Added direct links to reporting a bug, scan policies, and terms of use in order to make the document more robust and accessible to users of the product. Added (lack of) security advisory. Document updated with intent and scope of product use with words of caution to users while using the application.