From fe7c47fb2a95c1f3dc6fcaf177faf81171b320ef Mon Sep 17 00:00:00 2001 From: microcks-bot Date: Tue, 4 Mar 2025 12:13:41 +0000 Subject: [PATCH] chore: update SECURITY.md from global .github repo Signed-off-by: microcks-bot --- SECURITY.md | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index f2ff6f4..b4f8b9d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,6 +2,22 @@ ## Reporting a Vulnerability -If you've found a vulnerability in our components or website, or want additional information regarding how we manage security, please report it via a [GitHub discussion](https://github.com/microcks/microcks/discussions). +If you've found a vulnerability in our components or website or want additional information regarding how we manage security, please report it via a [GitHub discussion](https://github.com/microcks/microcks/discussions). -In case you do not want to publicly report a security issue for one of the libraries owned by the Microcks community, write an email with a detailed description of the issue to security@microcks.io. \ No newline at end of file +If you do not want to publicly report a security issue for one of the libraries owned by the Microcks community, write an email with a detailed description of the issue to security@microcks.io. + +## Public Disclosure Timing + +We prefer to fully disclose the bug as soon as possible once a user mitigation is available. The Fix Lead drives the schedule using their best judgment based on severity, development time, and release manager feedback. If the Fix Lead deals with public disclosure, all timelines will be set as soon as possible (ASAP). + +## Supported Versions + +Microcks releases follow the [semver](https://semver.org/) specification. Security fixes are typically merged into the current development branch and are due for release in the next minor version. We may create a fix release upon request or, if deemed necessary, as part of a critical security fix. + +## Security Team + +The security team is made up of a subset of the project [maintainers](https://github.com/microcks/.github/blob/main/GOVERNANCE.md#maintainers-code-owners-contributors-and-adopters) and [code owners](https://github.com/microcks/.github/blob/main/GOVERNANCE.md#maintainers-code-owners-contributors-and-adopters) who are willing and able to respond to vulnerability reports. + +## Credits + +Sections of this document have been borrowed and inspired from the [OpenEBS](https://github.com/openebs/community/blob/72506ee3b885bd06324b82a650fcd3a61e93eef0/SECURITY.md) project.