|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +We release patches for security vulnerabilities for the following versions: |
| 6 | + |
| 7 | +| Version | Supported | |
| 8 | +| ------- | ------------------ | |
| 9 | +| 5.x | :white_check_mark: | |
| 10 | +| < 5.0 | :x: | |
| 11 | + |
| 12 | +We recommend using the latest version of pySDC to ensure you have the latest security updates. |
| 13 | + |
| 14 | +## Reporting a Vulnerability |
| 15 | + |
| 16 | +We take the security of pySDC seriously. If you believe you have found a security vulnerability, please report it to us as described below. |
| 17 | + |
| 18 | +**Please do not report security vulnerabilities through public GitHub issues.** |
| 19 | + |
| 20 | +Instead, please report them via email to: |
| 21 | + |
| 22 | +- **r.speck@fz-juelich.de** (Robert Speck, Project Maintainer) |
| 23 | + |
| 24 | +You should receive a response within 5 business days. If for some reason you do not, please follow up via email to ensure we received your original message. |
| 25 | + |
| 26 | +Please include the following information in your report (as much as you can provide): |
| 27 | + |
| 28 | +- Type of issue (e.g., arbitrary code execution, unsafe deserialization, path traversal, etc.) |
| 29 | +- Full paths of source file(s) related to the manifestation of the issue |
| 30 | +- The location of the affected source code (tag/branch/commit or direct URL) |
| 31 | +- Any special configuration required to reproduce the issue |
| 32 | +- Step-by-step instructions to reproduce the issue |
| 33 | +- Proof-of-concept or exploit code (if possible) |
| 34 | +- Impact of the issue, including how an attacker might exploit the issue |
| 35 | + |
| 36 | +This information will help us triage your report more quickly. |
| 37 | + |
| 38 | +## Security Update Policy |
| 39 | + |
| 40 | +Security updates will be released as soon as possible after a vulnerability is confirmed and a fix is available. Updates will be announced through: |
| 41 | + |
| 42 | +- GitHub Security Advisories |
| 43 | +- Release notes in the [CHANGELOG](./CHANGELOG.md) |
| 44 | +- The project's GitHub Releases page |
| 45 | + |
| 46 | +## Dependencies |
| 47 | + |
| 48 | +pySDC uses several third-party dependencies. We monitor our dependencies for known security vulnerabilities and update them as needed. If you discover a security issue in one of our dependencies, please also report it to the respective maintainers of that dependency. |
| 49 | + |
| 50 | +## Comments on This Policy |
| 51 | + |
| 52 | +If you have suggestions on how this process could be improved, please submit a pull request or open an issue to discuss. |
0 commit comments