configs/arch-config/.config/calibre/plugins/DeACSM/modules/asn1crypto/SECURITY.md

38 lines
1.5 KiB
Markdown
Raw Permalink Normal View History

# Security Policy
## How to Report
If you believe you've found an issue that has security implications, please do
not post a public issue on GitHub. Instead, email the project lead, Will Bond,
at will@wbond.net.
You should receive a response within two business days, and follow up emails
during the process of confirming the potential issue.
## Supported Versions
The asn1crypto project only provides security patches for the most recent
release. This is primarily a function of available resources.
## Disclosure Process
The following process is used when handling a potential secuirty issue:
1. The report should be emailed to will@wbond.net, and NOT posted on the
GitHub issue tracker.
2. Confirmation of receipt of the report should happen within two business
days.
3. Information will be collected and an investigation will be performed to
determine if a security issue exists.
4. If no security issue is found, the process will end.
5. A fix for the issue and announcement will be drafted.
6. A release schedule and accouncement will be negotiated between the
reporter and the project
7. The security contacts for Arch Linux, Conda, Debian, Fedora, FreeBSD,
Ubuntu, and Tidelift will be contacted to notify them of an upcoming
security release.
8. Fixes for all vulnerabilities will be performed, and new releases made,
but without mention of a security issue. These changes and releases will
be published before the announcement.
9. An announcement will be made disclosing the vulnerability and the fix.