diff options
| author | Joe Chen <jc@unknwon.io> | 2023-11-09 22:10:42 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-11-09 22:10:42 -0500 |
| commit | 61940ca879d2599e446d302f0134dac2d08ce2fe (patch) | |
| tree | ce36a6dd0eaf951e51701a01deb9c1da706f58ee | |
| parent | 16b185f97dfc0dedf149a91f0b9d1924faf47ee4 (diff) | |
chore: update security policy
[skip ci]
| -rw-r--r-- | SECURITY.md | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/SECURITY.md b/SECURITY.md index 24ffd4c1..703fe8a5 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,20 +4,21 @@ Only lastest two minor version releases are supported (>= 0.12) for accepting vulnerability reports and patching fixes. -Existing vulnerability reports are being tracked in [Gogs Vulnerability Reports](https://jcunknwon.notion.site/Gogs-Vulnerability-Reports-81d7df52e45c4f159274e46ba48ed1b9). +Existing vulnerability reports are being tracked in [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories). ## Vulnerability lifecycle -1. Report a vulnerability: - - We strongly enourage to use https://huntr.dev/ for submitting and managing status of vulnerability reports. - - Alternatively, you may send vulnerability reports through emails to [security@gogs.io](mailto:security@gogs.io). -1. Create a [dummy issue](https://github.com/gogs/gogs/issues/6901) with high-level description of the security vulnerability for credibility and tracking purposes. +> [!important] +> Starting **Nov 9, 2023 00:00 UTC**, only security vulnerabilities reported through [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories/new) are accepted. +> Pre-existing vulnerability reported through https://huntr.dev/ or email (`security@gogs.io`) will continue to be worked through. + +1. Report a vulnerability 1. Project maintainers review the report and either: - Ask clarifying questions - Confirm or deny the vulnerability 1. Once the vulnerability is confirmed, the reporter may submit a patch or wait for project maintainers to patch. - The latter is usually significantly slower. 1. Patch releases will be made for the supported versions. -1. Publish the original vulnerability report and a new [GitHub security advisory](https://github.com/gogs/gogs/security/advisories). +1. Publish the report on [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories). Thank you! |