-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Laurence Lundblade
committed
Feb 1, 2022
1 parent
2411b32
commit 56b17bf
Showing
1 changed file
with
13 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,32 +1,27 @@ | ||
| # Security Policy | ||
|
|
||
| ## Supported Versions | ||
|
|
||
| QCBOR has not branched and is backwards compatible. The primary support is on the tip | ||
| of the repository and most security fixes will be made there. | ||
|
|
||
| If a security fix is needed for an older version, please report and request it | ||
| explicitly and it will be considered if it truly can't be closed out by | ||
| a fix to the tip and upgrading to the tip. | ||
|
|
||
| ## Reporting a Vulnerability | ||
|
|
||
| Please report security vulnerabilities by sending email to [email protected] AND posting | ||
| it as a GitHub issue. | ||
| Please report security vulnerabilities by sending email to [email protected]. | ||
| Please include "QCBOR SECURITY" in the subject line. | ||
|
|
||
| A GitHub issue will be filed for any vulnerability of substance. It will be marked with | ||
| the label "security". | ||
| In most cases the vulnerability should not be reported by filing an issue in GitHub as this | ||
| will publically disclose the issue before a fix is available. | ||
|
|
||
| Laurence Lundblade maintains this code and will respond in a day or two with an initial | ||
| evaluation. | ||
|
|
||
| Security fixes will generally be prioritized over other work, especially if the | ||
| vulnerability is a significant one. | ||
| Security fixes will be prioritized over other work. | ||
|
|
||
| Vulnerabilities will be fixed promptly, but some may be more complex than others | ||
| and take longer. If the fix is quick, it will usually be turned around in a | ||
| few days. | ||
|
|
||
| If the vulnerability is rejected, an issue will be filed in GitHub and then closed | ||
| with an explanation of why it was rejected. It will have the labels "security" | ||
| and "wontfix". This is so there is a record of the filing. | ||
| ## Availability of Fixes | ||
|
|
||
| When the fix has been created, it will be privately verified with the party that reported it. | ||
| Only after the fix has been verified and the reporter has had a chance to integrate the fix, | ||
| will be be made available as a public commit in GitHub. | ||
|
|
||
| If the reporter doesn't respond or can't integrate the fix, it will be made public after 30 days. | ||
|
|