From de4cffc179214128c51c2dd3770ef3e1e70e3d4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elek=20M=C3=A1rton?= Date: Tue, 3 Nov 2020 10:24:40 +0100 Subject: [PATCH] HDDS-4424. Update README with information how to report security issues --- README.md | 2 +- SECURITY.md | 23 +++++++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 SECURITY.md diff --git a/README.md b/README.md index ddf4c6ea87bf..940555cf902e 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ Ozone is part of the [Apache Hadoop](https://hadoop.apache.org) project. * Chat: You can find the #ozone channel on the official ASF slack. Invite link is [here](http://s.apache.org/slack-invite). * There are Open [Weekly calls](https://cwiki.apache.org/confluence/display/HADOOP/Ozone+Community+Calls) where you can ask anything about Ozone. * Past meeting notes are also available from the wiki. - + * Reporting security issues: Please consult with [SECURITY.md](./SECURITY.md) about reporting security vulerabilities and issues. ## Download diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000000..8d8a42b48d36 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,23 @@ +# Security Policy + +## Supported Versions + +The first stable release of Apache Ozone is 1.0, the previous alpha and beta releases are not supported by the community. + +| Version | Supported | +| ------------- | ------------------ | +| 0.3.0 (alpha) | :x: | +| 0.4.0 (alpha) | :x: | +| 0.4.1 (alpha) | :x: | +| 0.5.0 (beta) | :x: | +| 1.0 | :white_check_mark: | + +## Reporting a Vulnerability + +To report any found security issues or vulnerabilities, please send a mail to security@ozone.apache.org, so that they may be investigated and fixed before the vulnerabilities is published. + +This email address is a private mailing list for discussion of potential security vulnerabilities issues. + +This mailing list is **NOT** for end-user questions and discussion on security. Please use the dev@ozone.apache.org list for such issues. + +In order to post to the list, it is **NOT** necessary to first subscribe to it.