diff options
| -rw-r--r-- | SECURITY.md | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/SECURITY.md b/SECURITY.md index 9bb46715..086258bd 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -12,7 +12,7 @@ If you find a significant vulnerability, or evidence of one, use either of the following contacts: - send an email to [Kitsune Ral](mailto:Kitsune-Ral@users.sf.net); or -- reach out in Matrix to #kitsune:matrix.org (if you can, switch encryption on). +- reach out in Matrix to [@kitsune:matrix.org](https://matrix.to/#/@kitsune:matrix.org) (if you can, switch encryption on). In any of these two options, indicate that you have such information (do not share it yet), and we'll tell you the next steps. @@ -25,7 +25,7 @@ so this is NOT the right way for undisclosed vulnerabilities, whether or not you Initial reaction to the message about a vulnerability (see above) will be no more than 5 days. From the moment of the private report or public disclosure (if it hasn't been reported earlier in private) of each vulnerability, we take effort to fix it on priority before -any other issues. In case of vulnerabilities with [CVSS 2.0](https://nvd.nist.gov/cvss.cfm) score of 4.0 and higher the commitment is +any other issues. In case of vulnerabilities with [CVSS v2](https://nvd.nist.gov/cvss.cfm) score of 4.0 and higher the commitment is to provide a workaround within 30 days and a full fix within 60 days after the specific information on the vulnerability has been reported to the project by any means (in private or in public). For vulnerabilities with lower score there is no commitment on the timeline, only prioritisation. The full fix doesn't imply that all software functionality remains accessible (in the worst case |