-
-
Notifications
You must be signed in to change notification settings - Fork 826
doc(security): amend outdated security policy info #993
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,11 +2,28 @@ | |
|
|
||
| ## Supported Versions | ||
|
|
||
| Only the latest version. | ||
| Only the latest released version. | ||
|
|
||
| If you found a vulnerability that only applies to older versions but has been accidentally fixed recently, please also open a private advisory to let us evaluate if a backdated advisory is necessary. | ||
|
|
||
| If you found a vulnerability in unreleased code (Git trunk), please verify that the latest release is not affected and then use the public issue and pull request workflow to submit your research. | ||
|
|
||
| ## Reporting a Vulnerability | ||
|
|
||
| Please report (suspected) security vulnerabilities to | ||
| **[gotify@protonmail.com](mailto:gotify@protonmail.com)**. You will receive a | ||
| response from us within a few days. If the issue is confirmed, we will release a | ||
| [GitHub Advisory](https://github.com/gotify/server/security) | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can this link directly to https://github.com/gotify/server/security/advisories/new? |
||
| or **[gotify@protonmail.com](mailto:gotify@protonmail.com)**. | ||
| You will receive a response from us within a few days. | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. (optional) There are three lines with trailing whitespaces in this file. Please remove them. |
||
|
|
||
| To reduce paperwork and align with CVE key details phrasing, | ||
| an executive summary containing the following elements is sufficient for most reports: | ||
|
|
||
| - The affected component (package, file, function, etc) | ||
| - The root cause (weakness in code, insecure default, misleading documentation, etc) | ||
| - The attack model (precondition, vector, impact) | ||
| - A PoC | ||
|
|
||
| If the issue is confirmed, we will release a | ||
| patch as soon as possible. | ||
| Additionally, we will submit findings that demonstrate the necessity for | ||
| user triage to the GitHub CNA Program. | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.