blob: 703fe8a5abbfd4f8af9b2a8cf0c3cf52331bf6ec (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
# Security policy
## Supported versions
Only lastest two minor version releases are supported (>= 0.12) for accepting vulnerability reports and patching fixes.
Existing vulnerability reports are being tracked in [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories).
## Vulnerability lifecycle
> [!important]
> Starting **Nov 9, 2023 00:00 UTC**, only security vulnerabilities reported through [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories/new) are accepted.
> Pre-existing vulnerability reported through https://huntr.dev/ or email (`security@gogs.io`) will continue to be worked through.
1. Report a vulnerability
1. Project maintainers review the report and either:
- Ask clarifying questions
- Confirm or deny the vulnerability
1. Once the vulnerability is confirmed, the reporter may submit a patch or wait for project maintainers to patch.
- The latter is usually significantly slower.
1. Patch releases will be made for the supported versions.
1. Publish the report on [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories).
Thank you!
|