Skip to content

Security: stepht/gogs

Security

SECURITY.md

Security policy

Supported versions

Only lastest two minor version releases are supported (>= 0.12) for accepting vulnerability reports and patching fixes.

Existing vulnerability reports are being tracked in Gogs Vulnerability Reports.

Vulnerability lifecycle

  1. Report a vulnerability:
    • We strongly enourage to use https://huntr.dev/ for submitting and managing status of vulnerability reports.
    • Alternatively, you may send vulnerability reports through emails to [email protected].
  2. Create a dummy issue with high-level description of the security vulnerability for credibility and tracking purposes.
  3. Project maintainers review the report and either:
    • Ask clarifying questions
    • Confirm or deny the vulnerability
  4. Once the vulnerability is confirmed, the reporter may submit a patch or wait for project maintainers to patch.
    • The latter is usually significantly slower.
  5. Patch releases will be made for the supported versions.
  6. Publish the original vulnerability report and a new GitHub security advisory.

Thank you!

There aren’t any published security advisories