38 lines
1.5 KiB
Markdown
38 lines
1.5 KiB
Markdown
|
# Security Policy
|
||
|
|
|
||
|
|
## How to Report
|
||
|
|
|
||
|
|
If you believe you've found an issue that has security implications, please do
|
||
|
|
not post a public issue on GitHub. Instead, email the project lead, Will Bond,
|
||
|
|
at will@wbond.net.
|
||
|
|
|
||
|
|
You should receive a response within two business days, and follow up emails
|
||
|
|
during the process of confirming the potential issue.
|
||
|
|
|
||
|
|
## Supported Versions
|
||
|
|
|
||
|
|
The asn1crypto project only provides security patches for the most recent
|
||
|
|
release. This is primarily a function of available resources.
|
||
|
|
|
||
|
|
## Disclosure Process
|
||
|
|
|
||
|
|
The following process is used when handling a potential secuirty issue:
|
||
|
|
|
||
|
|
1. The report should be emailed to will@wbond.net, and NOT posted on the
|
||
|
|
GitHub issue tracker.
|
||
|
|
2. Confirmation of receipt of the report should happen within two business
|
||
|
|
days.
|
||
|
|
3. Information will be collected and an investigation will be performed to
|
||
|
|
determine if a security issue exists.
|
||
|
|
4. If no security issue is found, the process will end.
|
||
|
|
5. A fix for the issue and announcement will be drafted.
|
||
|
|
6. A release schedule and accouncement will be negotiated between the
|
||
|
|
reporter and the project
|
||
|
|
7. The security contacts for Arch Linux, Conda, Debian, Fedora, FreeBSD,
|
||
|
|
Ubuntu, and Tidelift will be contacted to notify them of an upcoming
|
||
|
|
security release.
|
||
|
|
8. Fixes for all vulnerabilities will be performed, and new releases made,
|
||
|
|
but without mention of a security issue. These changes and releases will
|
||
|
|
be published before the announcement.
|
||
|
|
9. An announcement will be made disclosing the vulnerability and the fix.
|