Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 20 additions & 3 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,28 @@

## Supported Versions

Only the latest version.
Only the latest released version.

If you found a vulnerability that only applies to older versions but has been accidentally fixed recently, please also open a private advisory to let us evaluate if a backdated advisory is necessary.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
If you found a vulnerability that only applies to older versions but has been accidentally fixed recently, please also open a private advisory to let us evaluate if a backdated advisory is necessary.
If you found a vulnerability that only applies to older versions but has been accidentally fixed recently, please open a private advisory to let us evaluate if a backdated advisory is necessary.


If you found a vulnerability in unreleased code (Git trunk), please verify that the latest release is not affected and then use the public issue and pull request workflow to submit your research.

## Reporting a Vulnerability

Please report (suspected) security vulnerabilities to
**[gotify@protonmail.com](mailto:gotify@protonmail.com)**. You will receive a
response from us within a few days. If the issue is confirmed, we will release a
[GitHub Advisory](https://github.com/gotify/server/security)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

or **[gotify@protonmail.com](mailto:gotify@protonmail.com)**.
You will receive a response from us within a few days.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(optional) There are three lines with trailing whitespaces in this file. Please remove them.


To reduce paperwork and align with CVE key details phrasing,
an executive summary containing the following elements is sufficient for most reports:

- The affected component (package, file, function, etc)
- The root cause (weakness in code, insecure default, misleading documentation, etc)
- The attack model (precondition, vector, impact)
- A PoC

If the issue is confirmed, we will release a
patch as soon as possible.
Additionally, we will submit findings that demonstrate the necessity for
user triage to the GitHub CNA Program.
Loading