summaryrefslogtreecommitdiff
path: root/SECURITY.md
diff options
context:
space:
mode:
Diffstat (limited to 'SECURITY.md')
-rw-r--r--SECURITY.md40
1 files changed, 40 insertions, 0 deletions
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..bb7c88d8
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,40 @@
+# Security Policy
+
+You can find more information on security incidents
+on the [IdPy security webpage](https://idpy.org/security/).
+
+You read on the [incident response policy](https://github.com/IdentityPython/Governance/blob/master/idpy-incidentresponse.md)
+under the [governance documentation](https://github.com/IdentityPython/Governance).
+
+
+## Incident report / Reporting a Vulnerability
+
+Anyone can submit a potential security vulnerability to `incident-response@idpy.org`.
+The incident-response team will verify the issue and contact you on how this will be
+handled.
+
+
+## Public Discussions
+
+When a new vulnerability is reported and verified, a new security advisory is created on
+GitHub and the issue is assigned a CVE identifier. Progress on the mitigation is tracked
+on a private fork, where the incident-response team and developers communicate to fix
+the issue.
+
+When the fix is ready, a release plan is prepared and all communication channels are
+used to notify the community of the presence of a new issue and the expected release
+plan. This allows the community time to prepare for a security upgrade. (Notice that
+security fixes are not backported at the moment.)
+
+When the advisory is published, GitHub automatically notifies all associated projects of
+the published advisory. Projects that use IdPy projects as dependencies should
+automatically get Pull Requests by dependabot. Additionally, all communication channels
+are used again, to notify the community of the release of a new version of the affected
+software that contains the relevant fixes that mitigate the reported issue.
+
+
+## Supported versions
+
+Notice, that security fixes are not backported at the moment to older releases than the
+latest. The team does not have the capacity to guarantee that these backports will exist.
+You are advised to be prepared to upgrade to the latest version once the fix is out.
View Lorry Controller Status