Skip to content

Commit bea66d6

Browse files
kevinbackhousekevinbackhouse
authored
Clarify policy on when a bug is considered a security issue (#2038)
Clarify policy on when a bug is considered a security issue.
1 parent d508e09 commit bea66d6

File tree

1 file changed

+3
-1
lines changed

1 file changed

+3
-1
lines changed

SECURITY.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,9 @@ If you have found a security vulnerability in Exiv2, please follow these steps:
3030

3131
The draft security advisory is private until we publish it, so it is a good place to discuss the details of the vulnerability privately. For the initial email, just a summary of the issue is sufficient.
3232

33-
To qualify as a security issue, the bug **must** be reproducible on an official release of Exiv2. Official releases are listed [here](https://github.com/Exiv2/exiv2/releases) (not including those labeled "pre-release"). Bugs that are only reproducible on the [main branch](https://github.com/Exiv2/exiv2/tree/main) or on a pre-release are not security issues and can be reported as regular [issues](https://github.com/Exiv2/exiv2/issues).
33+
To qualify as a security issue, the bug **must** be reproducible on an official release of Exiv2, via a realistic attack vector. As a general rule, that means it should be possible to trigger the bug by running the `exiv2` command-line application on a malicious input file. Please note that the applications in the `samples` sub-directory are demo applications that are not intended for production use, so we usually do not consider bugs in those applications to be security vulnerabilities. However, if one of the sample applications reveals a legitimate bug in the exiv2 library then we will still consider it as a potential security issue.
34+
35+
Official releases are listed [here](https://github.com/Exiv2/exiv2/releases) (not including those labeled "pre-release"). Bugs that are only reproducible on the [main branch](https://github.com/Exiv2/exiv2/tree/main) or on a pre-release are not security issues and can be reported as regular [issues](https://github.com/Exiv2/exiv2/issues).
3436

3537
Team Exiv2 does not back-port security (or any other fix) to earlier releases of the code. An engineer at SUSE has patched and fixed some security releases for Exiv2 v0.26 and Exiv2 v0.25 in branches 0.26 and 0.25. Exiv2 has provided several _**Dot Release**_ for v0.27. Exiv2 has never issued a _**Security Release**_.
3638

0 commit comments

Comments
 (0)