-
Notifications
You must be signed in to change notification settings - Fork 37
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
- Loading branch information
William Roberts
committed
Jan 5, 2023
1 parent
d0f5692
commit 826c103
Showing
2 changed files
with
38 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| # Security Policy | ||
|
|
||
| ## Supported Versions | ||
|
|
||
| Currently supported versions: | ||
|
|
||
| | Version | Supported | | ||
| | ------- | ------------------ | | ||
| | any | :white_check_mark: | | ||
|
|
||
| ## Reporting a Vulnerability | ||
|
|
||
| ### Reporting | ||
|
|
||
| Security vulnerabilities can be disclosed in one of two ways: | ||
| - GitHub: *preferred* By following [these](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability) instructions. | ||
| - Email: A descirption *should be emailed* to **all** members of the [MAINTAINERS](MAINTAINERS) file to coordinate the | ||
| disclosure of the vulnerability. | ||
|
|
||
| ### Tracking | ||
|
|
||
| When a maintainer is notified of a security vulnerability, they *must* create a GitHub security advisory | ||
| per the instructions at: | ||
|
|
||
| - <https://docs.github.com/en/code-security/repository-security-advisories/about-github-security-advisories-for-repositories> | ||
|
|
||
| Maintainers *should* use the optional feature through GitHub to request a CVE be issued, alternatively RedHat has provided CVE's | ||
| in the past and *may* be used, but preference is on GitHub as the issuing CNA. | ||
|
|
||
| ### Publishing | ||
|
|
||
| Once ready, maintainers should publish the security vulnerability as outlined in: | ||
|
|
||
| - <https://docs.github.com/en/code-security/repository-security-advisories/publishing-a-repository-security-advisory> | ||
|
|
||
| As well as ensuring the publishing of the CVE, maintainers *shal*l have new release versions ready to publish at the same time as | ||
| the CVE. Maintainers *should* should strive to adhere to a sub 60 say turn around from report to release. |