|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +If you discover a security-related issue, please report it based on the instructions below. |
| 4 | + |
| 5 | +## Reporting a Vulnerability |
| 6 | + |
| 7 | +Please **DO NOT** file a public issue, instead report the vulnerability on the relevant |
| 8 | +[GitHub security](https://github.com/CESNET/libnetconf2/security) page. If you do not receive any reaction within 48 hours, |
| 9 | +please also send an email to [[email protected]]. |
| 10 | + |
| 11 | +## Review Process |
| 12 | + |
| 13 | +After receiving the report, an initial triage and technical analysis is performed to confirm the report and determine |
| 14 | +its scope. We may request additional information in this stage of the process. |
| 15 | + |
| 16 | +Once a reviewer has confirmed the relevance of the report, a draft security advisory will be created on GitHub. The |
| 17 | +draft advisory will be used to discuss the issue with maintainers, the reporter(s), and where applicable, other affected |
| 18 | +parties under embargo. |
| 19 | + |
| 20 | +If the vulnerability is accepted, a timeline for developing a patch, public disclosure, and patch release will be |
| 21 | +determined. If there is an embargo period on public disclosure before the patch release, the reporter(s) are expected to |
| 22 | +participate in the discussion of the timeline and abide by agreed upon dates for public disclosure. |
| 23 | + |
| 24 | +Usually, the reasonably complex issues are fixed within hours of being reported. |
| 25 | + |
| 26 | +## Supported Versions |
| 27 | + |
| 28 | +After an issue is fixed, it **WILL NOT** be backported to any released version. Instead, it is kept in the public `devel` |
| 29 | +branch, which is periodically merged into the main branch when a new release is due. So, the issue will be fixed in the |
| 30 | +next release after it is fixed. |
0 commit comments