From d5bd0472e76e2fb28613855460e46987a2061650 Mon Sep 17 00:00:00 2001 From: Andrew Lilley Brinker Date: Wed, 14 Feb 2024 09:49:56 -0800 Subject: [PATCH] Create SECURITY.md Signed-off-by: Andrew Lilley Brinker --- SECURITY.md | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..b8525df --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,45 @@ +# Security Policy + +The following versions of this repository's crates are considered supported, +and will receive security updates. + +__`gitoid`__ + +| Version | Supported | +|:-----------------| ------------------ | +| `gitoid-0.4.x` | :white_check_mark: | +| `gitoid-0.3.x` | :x: | + +__`omnibor`__ + +| Version | Supported | +|:-----------------| ------------------ | +| `omnibor-0.2.x` | :white_check_mark: | + +## Reporting a Vulnerability + +Vulnerabilities can be reported using the "Report a Vulnerability" button under +the security tab of the repository. If a vulnerability is found to be legitimate, +a RustSec advisory will be created. + +Please give us 90 days to respond to a vulnerability disclosure. In general, we +will try to be faster than that to produce fixes and respond publicly to +disclosures. + +If we accept the legitimacy of a vulnerability, please wait for us to have +publcily responded to the vulnerability, including publication of new versions, +yanking of old versions, and public disclosure in the RustSec database, before +publicly disclosing the vulnerability yourself. + +We ask that you _not_ create advisories yourself, but instead submit +vulnerability reports to us first so we can plan a response including +producing any necessary patches, publishing fixed versions, yanking affected +versions, and communicating about the vulnerability to users. + +We consider soundness violations (violations of safe Rust's memory, thread, or +type safety guarantees) to be at least informational vulnerabilities and +will treat them as such. + +RustSec advisories are automatically imported into the GitHub Security Advisory +system, and into the OSV database, so duplicate reports do not need to be made +for those systems.