Skip to content

Commit 17e36ca

Browse files
michaelklishinmichaelklishin
committed
Update SECURITY.md
(cherry picked from commit 92a4046)
1 parent 8eebb83 commit 17e36ca

File tree

1 file changed

+8
-3
lines changed

1 file changed

+8
-3
lines changed

.github/SECURITY.md

+8-3
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,8 @@ RabbitMQ Core team really appreciates responsible vulnerability reports
1111
from security researchers and our user community.
1212

1313
To responsibly disclose a vulnerability, please use [GitHub Security Advisories](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability) or email `[email protected]` or
14-
[sign up for RabbitMQ community Slack](https://rabbitmq-slack.herokuapp.com) and
15-
send a DM to @michaelklishin. For reports received via Slack, a separate private
14+
[sign up for RabbitMQ Discord server]([https://rabbitmq-slack.herokuapp.com](https://rabbitmq.com/discord)) and
15+
send a DM to @michaelklishin. For reports received via Discord, a separate private
1616
channel will be set up so that multiple RabbitMQ maintainers can access the disclosed
1717
information.
1818

@@ -26,8 +26,13 @@ When reporting a vulnerability, please including the following information:
2626
* Why do you think this behavior is a security vulnerability
2727

2828
A received vulnerability report will be acknowledged by a RabbitMQ core team or VMware R&D staff member.
29+
For reports that will be considered legitimate and serious enough, a [GitHub Security Advisory](https://github.com/rabbitmq/rabbitmq-server/security/advisories)
30+
will be drafted. An advisory is a private way for reporters and collaborators to work on a solution.
31+
32+
After a new patch release is shipped, a [new CVE ID will be requested](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory#requesting-a-cve-identification-number-optional) as
33+
part of the advisory and eventually published. The advisory will credit the reporters.
34+
The associated discussion will be removed when the advisory is published.
2935

30-
As the security issue moves from triage, to identified fix, to release planning we will keep the reporter updated.
3136

3237
### When Should I Report a Vulnerability?
3338

0 commit comments

Comments
 (0)