diff options
Diffstat (limited to '')
-rw-r--r-- | SECURITY.md (renamed from doc/sources/security.rst) | 26 |
1 files changed, 12 insertions, 14 deletions
diff --git a/doc/sources/security.rst b/SECURITY.md index 5a8fcd0..b8328a5 100644 --- a/doc/sources/security.rst +++ b/SECURITY.md @@ -1,16 +1,15 @@ -Security Process -================ +# Security Process -If you find a vulnerability in our software, please send the email to -"tatsuhiro.t at gmail dot com" about its details instead of submitting +If you find a vulnerability in our software, please report it via +GitHub "Private vulnerability reporting" feature at +https://github.com/nghttp2/nghttp2/security instead of submitting issues on github issue page. It is a standard practice not to disclose vulnerability information publicly until a fixed version is -released, or mitigation is worked out. In the future, we may setup a -dedicated mail address for this purpose. +released, or mitigation is worked out. If we identify that the reported issue is really a vulnerability, we -open a new security advisory draft using `GitHub security feature -<https://github.com/nghttp2/nghttp2/security>`_ and discuss the +open a new security advisory draft using [GitHub security +feature](https://github.com/nghttp2/nghttp2/security) and discuss the mitigation and bug fixes there. The fixes are committed to the private repository. @@ -21,12 +20,11 @@ We make a new release with the fix at the same time when the vulnerability is disclosed to public. At least 7 days before the public disclosure date, we open a new issue -on `nghttp2 issue tracker -<https://github.com/nghttp2/nghttp2/issues>`_ which notifies that the -upcoming release will have a security fix. The ``SECURITY`` label is -attached to this kind of issue. The issue is not opened if a -vulnerability is already disclosed, and it is publicly known that -nghttp2 is affected by that. +on [nghttp2 issue tracker](https://github.com/nghttp2/nghttp2/issues) +which notifies that the upcoming release will have a security fix. +The `SECURITY` label is attached to this kind of issue. The issue is +not opened if a vulnerability is already disclosed, and it is publicly +known that nghttp2 is affected by that. Before few hours of new release, we merge the fixes to the master branch (and/or a release branch if necessary) and make a new release. |