From dc2e0dbc9360747f11c0cf693d6978cf1463a35e Mon Sep 17 00:00:00 2001 From: Michal Vasko Date: Wed, 18 Dec 2024 13:31:59 +0100 Subject: [PATCH] doc UPDATE include a security policy --- SECURITY.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..8a0d5731 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,30 @@ +# Security Policy + +If you discover a security-related issue, please report it based on the instructions below. + +## Reporting a Vulnerability + +Please **DO NOT** file a public issue, instead report the vulnerability on the relevant +[GitHub security](https://github.com/CESNET/libnetconf2/security) page. If you do not receive any reaction within 48 hours, +please also send an email to [mvasko@cesnet.cz]. + +## Review Process + +After receiving the report, an initial triage and technical analysis is performed to confirm the report and determine +its scope. We may request additional information in this stage of the process. + +Once a reviewer has confirmed the relevance of the report, a draft security advisory will be created on GitHub. The +draft advisory will be used to discuss the issue with maintainers, the reporter(s), and where applicable, other affected +parties under embargo. + +If the vulnerability is accepted, a timeline for developing a patch, public disclosure, and patch release will be +determined. If there is an embargo period on public disclosure before the patch release, the reporter(s) are expected to +participate in the discussion of the timeline and abide by agreed upon dates for public disclosure. + +Usually, the reasonably complex issues are fixed within hours of being reported. + +## Supported Versions + +After an issue is fixed, it **WILL NOT** be backported to any released version. Instead, it is kept in the public `devel` +branch, which is periodically merged into the main branch when a new release is due. So, the issue will be fixed in the +next release after it is fixed.