summaryrefslogtreecommitdiffstats
path: root/SECURITY.md
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--SECURITY.md (renamed from doc/sources/security.rst)26
1 files changed, 12 insertions, 14 deletions
diff --git a/doc/sources/security.rst b/SECURITY.md
index 5a8fcd0..b8328a5 100644
--- a/doc/sources/security.rst
+++ b/SECURITY.md
@@ -1,16 +1,15 @@
-Security Process
-================
+# Security Process
-If you find a vulnerability in our software, please send the email to
-"tatsuhiro.t at gmail dot com" about its details instead of submitting
+If you find a vulnerability in our software, please report it via
+GitHub "Private vulnerability reporting" feature at
+https://github.com/nghttp2/nghttp2/security instead of submitting
issues on github issue page. It is a standard practice not to
disclose vulnerability information publicly until a fixed version is
-released, or mitigation is worked out. In the future, we may setup a
-dedicated mail address for this purpose.
+released, or mitigation is worked out.
If we identify that the reported issue is really a vulnerability, we
-open a new security advisory draft using `GitHub security feature
-<https://github.com/nghttp2/nghttp2/security>`_ and discuss the
+open a new security advisory draft using [GitHub security
+feature](https://github.com/nghttp2/nghttp2/security) and discuss the
mitigation and bug fixes there. The fixes are committed to the
private repository.
@@ -21,12 +20,11 @@ We make a new release with the fix at the same time when the
vulnerability is disclosed to public.
At least 7 days before the public disclosure date, we open a new issue
-on `nghttp2 issue tracker
-<https://github.com/nghttp2/nghttp2/issues>`_ which notifies that the
-upcoming release will have a security fix. The ``SECURITY`` label is
-attached to this kind of issue. The issue is not opened if a
-vulnerability is already disclosed, and it is publicly known that
-nghttp2 is affected by that.
+on [nghttp2 issue tracker](https://github.com/nghttp2/nghttp2/issues)
+which notifies that the upcoming release will have a security fix.
+The `SECURITY` label is attached to this kind of issue. The issue is
+not opened if a vulnerability is already disclosed, and it is publicly
+known that nghttp2 is affected by that.
Before few hours of new release, we merge the fixes to the master
branch (and/or a release branch if necessary) and make a new release.