diff options
| author | Andres Salomon <dilinger@queued.net> | 2021-01-18 04:00:14 -0500 |
|---|---|---|
| committer | Andres Salomon <dilinger@queued.net> | 2021-01-18 04:00:14 -0500 |
| commit | 09eb39236666e81d5da014acea011dcd74d0999b (patch) | |
| tree | 52876d96be71be1a39d5d935c1295a51995e8949 /SECURITY.md | |
| parent | f1788ee27f33e9339334e0d79bde9a27d9ce2e44 (diff) | |
| parent | a4e78956f105875625b572d8b98459ffa86fafe5 (diff) | |
| download | libquotient-09eb39236666e81d5da014acea011dcd74d0999b.tar.gz libquotient-09eb39236666e81d5da014acea011dcd74d0999b.zip | |
Update upstream source from tag 'upstream/0.6.4'
Update to upstream version '0.6.4'
with Debian dir aa8705fd74743e79c043bc9e3e425d5064404cfe
Diffstat (limited to 'SECURITY.md')
| -rw-r--r-- | SECURITY.md | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..e821aed1 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,37 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| ------- | ------------------ | +| master | :white_check_mark: | +| 0.6.x | :white_check_mark: | +| 0.5.x | :white_check_mark: | +| older | :x: | + +## Reporting a Vulnerability + +If you find a vulnerability, or evidence of one, use either of the following contacts: +- via email: [Kitsune Ral](mailto:Kitsune-Ral@users.sf.net); or +- via Matrix: [direct chat with @kitsune:matrix.org](https://matrix.to/#/@kitsune:matrix.org?action=chat). + +In any of these two options, indicate that you have such information (do not share it yet), and we'll tell you the next steps. + +By default, we will give credit to anyone who reports a vulnerability in a responsible way so that we can fix it before public disclosure. +If you want to remain anonymous or pseudonymous instead, please let us know; we will gladly respect your wishes. +If you provide a fix as a PR, you have no way to remain anonymous; you also thereby lay out the vulnerability itself +so this is NOT the right way for undisclosed vulnerabilities, whether or not you want to stay incognito. + +## Timeline and commitments + +Initial reaction to the message about a vulnerability (see above) will be +no more than 5 days. From the moment of the private report or public disclosure +(if it hasn't been reported earlier in private) of each vulnerability, we take +effort to fix it on priority before any other issues. In case of vulnerabilities +with [CVSS v2](https://nvd.nist.gov/cvss.cfm) score of 4.0 and higher +the commitment is to provide a workaround within 30 days and a full fix +within 60 days after the project has been made aware about the vulnerability +(in private or in public). For vulnerabilities with lower score there is +no commitment on the timeline, only prioritisation. The full fix doesn't imply +that all software functionality remains accessible (in the worst case +the vulnerable functionality may be disabled or removed to prevent the attack). |