|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +The maintainers of the Moby project take security seriously. If you discover |
| 4 | +a security issue, please bring it to their attention right away! |
| 5 | + |
| 6 | +## Reporting a Vulnerability |
| 7 | + |
| 8 | +Please **DO NOT** file a public issue, instead send your report privately |
| 9 | + |
| 10 | + |
| 11 | +Reporter(s) can expect a response within 72 hours, acknowledging the issue was |
| 12 | +received. |
| 13 | + |
| 14 | +## Review Process |
| 15 | + |
| 16 | +After receiving the report, an initial triage and technical analysis is |
| 17 | +performed to confirm the report and determine its scope. We may request |
| 18 | +additional information in this stage of the process. |
| 19 | + |
| 20 | +Once a reviewer has confirmed the relevance of the report, a draft security |
| 21 | +advisory will be created on GitHub. The draft advisory will be used to discuss |
| 22 | +the issue with maintainers, the reporter(s), and where applicable, other |
| 23 | +affected parties under embargo. |
| 24 | + |
| 25 | +If the vulnerability is accepted, a timeline for developing a patch, public |
| 26 | +disclosure, and patch release will be determined. If there is an embargo period |
| 27 | +on public disclosure before the patch release, the reporter(s) are expected to |
| 28 | +participate in the discussion of the timeline and abide by agreed upon dates |
| 29 | +for public disclosure. |
| 30 | + |
| 31 | +## Accreditation |
| 32 | + |
| 33 | +Security reports are greatly appreciated and we will publicly thank you, |
| 34 | +although we will keep your name confidential if you request it. We also like to |
| 35 | +send gifts - if you're into swag, make sure to let us know. We do not currently |
| 36 | +offer a paid security bounty program at this time. |
| 37 | + |
| 38 | +## Supported Versions |
| 39 | + |
| 40 | +This project does not provide long-term-supported releases. Only the current |
| 41 | +release is maintained. |
0 commit comments