|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +We provide security updates only for the latest released version of `uutils/coreutils`. |
| 6 | +Older versions may not receive patches. |
| 7 | +If you are using a version packaged by your Linux distribution, please check with your distribution maintainers for their update policy. |
| 8 | + |
| 9 | +--- |
| 10 | + |
| 11 | +## Reporting a Vulnerability |
| 12 | + |
| 13 | +**Do not open public GitHub issues for security vulnerabilities.** |
| 14 | +This prevents accidental disclosure before a fix is available. |
| 15 | + |
| 16 | +Instead, please use the following method: |
| 17 | + |
| 18 | +- **Email:** [sylvestre@debian.org](mailto:Sylvestre@debian.org) |
| 19 | +- **Encryption (optional):** You may encrypt your report using our PGP key: |
| 20 | +Fingerprint: B60D B599 4D39 BEC4 D1A9 5CCF 7E65 28DA 752F 1BE1 |
| 21 | +--- |
| 22 | + |
| 23 | +### What to Include in Your Report |
| 24 | + |
| 25 | +To help us investigate and resolve the issue quickly, please include as much detail as possible: |
| 26 | + |
| 27 | +- **Type of issue:** e.g. privilege escalation, information disclosure. |
| 28 | +- **Location in the source:** file path, commit hash, branch, or tag. |
| 29 | +- **Steps to reproduce:** exact commands, test cases, or scripts. |
| 30 | +- **Special configuration:** any flags, environment variables, or system setup required. |
| 31 | +- **Affected systems:** OS/distribution and version(s) where the issue occurs. |
| 32 | +- **Impact:** your assessment of the potential severity (DoS, RCE, data leak, etc.). |
| 33 | + |
| 34 | +--- |
| 35 | + |
| 36 | +## Disclosure Policy |
| 37 | + |
| 38 | +We follow a **Coordinated Vulnerability Disclosure (CVD)** process: |
| 39 | + |
| 40 | +1. We will acknowledge receipt of your report within **10 days**. |
| 41 | +2. We will investigate, reproduce, and assess the issue. |
| 42 | +3. We will provide a timeline for developing and releasing a fix. |
| 43 | +4. Once a fix is available, we will publish a GitHub Security Advisory. |
| 44 | +5. You will be credited in the advisory unless you request anonymity. |
0 commit comments