From c6b7a85f93551925f8534414c659d937aa57b92b Mon Sep 17 00:00:00 2001 From: Joyce Date: Thu, 14 Sep 2023 18:18:24 -0300 Subject: [PATCH 1/5] Create SECURITY.md Signed-off-by: Joyce --- SECURITY.md | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..a981dacc6 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,11 @@ +# Security Policy + +## Supported Versions + +Security updates are applied only to the latest release. + +## Reporting a Vulnerability + +If you have discovered a security vulnerability in this project, please report it privately. **Do not disclose it as a public issue.** This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released. +Please disclose it at [security advisory](https://github.com/publicsuffix/list/security/advisories/new). +This project is maintained by a team of volunteers on a reasonable-effort basis. As such, please give us at least 90 days to work on a fix before public exposure. From 8c143c6a6d52ed4c4141ad154378f66bf1d98ca9 Mon Sep 17 00:00:00 2001 From: Joyce Date: Fri, 15 Sep 2023 17:19:40 -0300 Subject: [PATCH 2/5] Update SECURITY.md Signed-off-by: Joyce --- SECURITY.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index a981dacc6..eabf584f3 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -8,4 +8,7 @@ Security updates are applied only to the latest release. If you have discovered a security vulnerability in this project, please report it privately. **Do not disclose it as a public issue.** This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released. Please disclose it at [security advisory](https://github.com/publicsuffix/list/security/advisories/new). + +Reports are limited to repo matters. Any vulnerability reports related to the addition or removal of PSL entries in the .dat file shall be rejected and referred to filing pull requests that should make mention the alleged urgency. + This project is maintained by a team of volunteers on a reasonable-effort basis. As such, please give us at least 90 days to work on a fix before public exposure. From 1aa575dc97895e6ec53d413dfed35ad06da6315d Mon Sep 17 00:00:00 2001 From: Joyce Date: Mon, 18 Sep 2023 09:21:20 -0300 Subject: [PATCH 3/5] Update SECURITY.md Signed-off-by: Joyce --- SECURITY.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index eabf584f3..8457909b2 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,8 +1,6 @@ # Security Policy -## Supported Versions - -Security updates are applied only to the latest release. +Security updates are applied only to the repository itself. ## Reporting a Vulnerability From 3d436b977b1ab41a4c6ab10f2d7ff48aad895470 Mon Sep 17 00:00:00 2001 From: Joyce Date: Mon, 6 Nov 2023 13:47:27 -0300 Subject: [PATCH 4/5] Update SECURITY.md Signed-off-by: Joyce --- SECURITY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 8457909b2..a3683a9eb 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,9 +4,9 @@ Security updates are applied only to the repository itself. ## Reporting a Vulnerability +Reports are limited to repo matters. Any vulnerability reports related to the addition or removal of PSL entries in the .dat file shall be rejected and referred to filing pull requests that should make mention the alleged urgency. + If you have discovered a security vulnerability in this project, please report it privately. **Do not disclose it as a public issue.** This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released. Please disclose it at [security advisory](https://github.com/publicsuffix/list/security/advisories/new). -Reports are limited to repo matters. Any vulnerability reports related to the addition or removal of PSL entries in the .dat file shall be rejected and referred to filing pull requests that should make mention the alleged urgency. - This project is maintained by a team of volunteers on a reasonable-effort basis. As such, please give us at least 90 days to work on a fix before public exposure. From 2e5025ab75613175fcb83e1a28e6494af74bb76d Mon Sep 17 00:00:00 2001 From: Joyce Date: Wed, 8 Nov 2023 10:27:54 -0300 Subject: [PATCH 5/5] Update SECURITY.md Signed-off-by: Joyce --- SECURITY.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index a3683a9eb..eb0b7f5c6 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -7,6 +7,7 @@ Security updates are applied only to the repository itself. Reports are limited to repo matters. Any vulnerability reports related to the addition or removal of PSL entries in the .dat file shall be rejected and referred to filing pull requests that should make mention the alleged urgency. If you have discovered a security vulnerability in this project, please report it privately. **Do not disclose it as a public issue.** This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released. -Please disclose it at [security advisory](https://github.com/publicsuffix/list/security/advisories/new). + +Please disclose it at [security advisory](https://github.com/publicsuffix/list/security/advisories/new) and send an email with the link to the newly filed issue to [security@mozilla.org](mailto:security@mozilla.org) to expedite the review on our end. This project is maintained by a team of volunteers on a reasonable-effort basis. As such, please give us at least 90 days to work on a fix before public exposure.