update security.md

minrk · minrk · commit 11e96ab9b9e5 · 2025-07-22T20:28:50.000-07:00
been a while...
diff --git a/SECURITY.md b/SECURITY.md
@@ -3,7 +3,7 @@
 This document outlines security procedures and general policies for the pyzmq project.
 
 - [Reporting a Bug](#reporting-a-bug)
-- [Disclosure Policy](#disclosure-policy)
+- [Security Process](#security-process)
 - [Comments on this Policy](#comments-on-this-policy)
 
 ## Reporting a Bug
@@ -12,29 +12,36 @@ Thank you for improving the security of pyzmq. We appreciate your efforts and
 responsible disclosure and will make every effort to acknowledge your
 contributions.
 
-Report security bugs by emailing the lead maintainer at benjaminrk AT gmail.com.
+Please report vulnerabilities via GitHub's security reporting at
+https://github.com/zeromq/pyzmq/security/advisories.
+You may also report vulnerabilities by emailing the lead maintainer at benjaminrk AT gmail.com.
+If you do so, please include your github username if you have one for the vulnerability process.
 
-The lead maintainer will acknowledge your email as promptly as possible,
+Maintainers will acknowledge the report as promptly as possible,
 and will follow up with a more detailed response.
 
-When the issue is confirmed, a GitHub security advisory will be created to discuss resolutions.
-We will endeavor to keep you informed of the progress towards a fix and full
-announcement, and may ask for additional information or guidance.
+## Security Process
 
-Report security bugs in libzmq itself or other packages to the mainainers of those packages.
+If you haven't used GitHub's vulnerability reporting, a draft GitHub security advisory will be created.
+The draft advisory will be used to privately discuss fixes and disclosure,
+including gathering more information from the reporter, as needed.
+After the fix is available to users, the security advisory will be published, usually within 7 days of publishing.
 
-## Disclosure Policy
+Report security bugs in libzmq itself or other packages to the maintainers of those packages.
 
-When the security team receives a security bug report, they will assign it to a
-primary handler. This person will coordinate the fix and release process,
-involving the following steps:
+Once the draft advisory is created, we will take the following steps:
 
 - Confirm the problem and determine the affected versions.
 - Audit code to find any potential similar problems.
-- Prepare fixes for all releases still under maintenance. These fixes will be
-  released as fast as possible to npm.
+- Prepare fixes for all releases still under maintenance.
+  This will usually be only the current major version.
+  These fixes will be released as fast as possible to PyPI and conda-forge.
+- Notify tidelift.
+- Publish GitHub Security Advisory.
+
+The timeline is on a best-effort basis.
 
 ## Comments on this Policy
 
-If you have suggestions on how this process could be improved please submit a
-pull request.
+Feel free to open a pull request or issue to suggest improvements to this process.
+Contributions welcome!
