From a21a7a11409da0b7f64868eb9efd6f5212273bbb Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Thu, 21 Dec 2023 01:26:34 +0100 Subject: [PATCH] Create SECURITY.md --- SECURITY.md | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..b94c1d0e --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,42 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| latest | :white_check_mark: | + +## Reporting a Vulnerability + +Anyone can submit a potential security vulnerability to `demarcog83@gmail.com`. +The author will verify the issue and contact you on how this will be +handled. + + +## Public Discussions + +When a new vulnerability is reported and verified, a new security advisory is created on +GitHub and the issue is assigned a CVE identifier. Progress on the mitigation is tracked +on a private fork, where the incident-response team and developers communicate to fix +the issue. + +When the fix is ready, a release plan is prepared and all communication channels are +used to notify the community of the presence of a new issue and the expected release +plan. This allows the community time to prepare for a security upgrade. (Notice that +security fixes are not backported at the moment.) + +When the advisory is published, GitHub automatically notifies all associated projects of +the published advisory. Projects that use IdPy projects as dependencies should +automatically get Pull Requests by dependabot. Additionally, all communication channels +are used again, to notify the community of the release of a new version of the affected +software that contains the relevant fixes that mitigate the reported issue. + + +## Supported versions + +Notice, that security fixes are not backported at the moment to older releases than the +latest. The team does not have the capacity to guarantee that these backports will exist. +You are advised to be prepared to upgrade to the latest version once the fix is out.