Skip to content

Commit

Permalink
doc UPDATE include a security policy
Browse files Browse the repository at this point in the history
  • Loading branch information
michalvasko committed Dec 18, 2024
1 parent de7c9ab commit dc2e0db
Showing 1 changed file with 30 additions and 0 deletions.
30 changes: 30 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Security Policy

If you discover a security-related issue, please report it based on the instructions below.

## Reporting a Vulnerability

Please **DO NOT** file a public issue, instead report the vulnerability on the relevant
[GitHub security](https://github.com/CESNET/libnetconf2/security) page. If you do not receive any reaction within 48 hours,
please also send an email to [[email protected]].

## Review Process

After receiving the report, an initial triage and technical analysis is performed to confirm the report and determine
its scope. We may request additional information in this stage of the process.

Once a reviewer has confirmed the relevance of the report, a draft security advisory will be created on GitHub. The
draft advisory will be used to discuss the issue with maintainers, the reporter(s), and where applicable, other affected
parties under embargo.

If the vulnerability is accepted, a timeline for developing a patch, public disclosure, and patch release will be
determined. If there is an embargo period on public disclosure before the patch release, the reporter(s) are expected to
participate in the discussion of the timeline and abide by agreed upon dates for public disclosure.

Usually, the reasonably complex issues are fixed within hours of being reported.

## Supported Versions

After an issue is fixed, it **WILL NOT** be backported to any released version. Instead, it is kept in the public `devel`
branch, which is periodically merged into the main branch when a new release is due. So, the issue will be fixed in the
next release after it is fixed.

0 comments on commit dc2e0db

Please sign in to comment.