summaryrefslogtreecommitdiff
path: root/SECURITY.md
blob: 672665f0bd1f6e8a32154ac74cbe68b39ce44528 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Security Policy

## Supported Versions

We are an open source project with no corporate sponsor and no formal
"support".  In practice, we support the latest released version and work with
OS vendors to make it easy for them to backport fixes for their distributed
packages.  For some security issues, we will issue a patch-release which has
just a simple fix.

We also often have `exim-VERSION+fixes` branches with small things which we
recommend that vendors use.

For postmasters installing Exim manually, we recommend always using the latest
released tarball.

## Reporting a Vulnerability

Our security page is at <https://wiki.exim.org/EximSecurity>.
It contains the current contact point and list of PGP keys to use for
encrypting particularly sensitive information.
This also links to our documentation and the chapter on security
considerations.

Our security release process is at
<https://wiki.exim.org/SecurityReleaseProcess>.
This covers what we do in handling vulnerability reports.

We have no bug bounty program of our own; we're far too disparate a group of
volunteers for such things.