Update security policy regarding past major releases

sendwyre · Aug 2, 2021 · bbd68b7 · bbd68b7
1 parent 2d1e82c
commit bbd68b7
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -68,6 +68,8 @@ The latest audit was done on October 2018 on version 2.0.0.
 
 Please report any security issues you find to [email protected].
 
+Critical bug fixes will be backported to past major releases.
+
 ## Contribute
 
 OpenZeppelin Contracts exists thanks to its contributors. There are many ways you can participate and help build high quality software. Check out the [contribution guide](CONTRIBUTING.md)!

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,18 @@
+# Security Policy
+
+## Supported Versions
+
+The recommendation is to use the latest version available.
+
+| Version | Supported                            |
+| ------- | ------------------------------------ |
+| 4.x     | :white_check_mark::white_check_mark: |
+| 3.4     | :white_check_mark:                   |
+| 2.5     | :white_check_mark:                   |
+| < 2.0   | :x:                                  |
+
+## Reporting a Vulnerability
+
+Please report any security issues you find to [email protected].
+
+Critical bug fixes will be backported to past major releases.
diff --git a/docs/modules/ROOT/pages/releases-stability.adoc b/docs/modules/ROOT/pages/releases-stability.adoc
@@ -79,7 +79,7 @@ The API stability guarantees may need to be broken in order to fix a bug, and we
 
 Starting on version 0.5.0, the Solidity team switched to a faster release cycle, with minor releases every few weeks (v0.5.0 was released on November 2018, and v0.5.5 on March 2019), and major, breaking-change releases every couple of months (with v0.6.0 released on December 2019 and v0.7.0 on July 2020). Including the compiler version in OpenZeppelin Contract's stability guarantees would therefore force the library to either stick to old compilers, or release frequent major updates simply to keep up with newer Solidity releases.
 
-Because of this, *the minimum required Solidity compiler version is not part of the stability guarantees*, and users may be required to upgrade their compiler when using newer versions of Contracts. Bug fixes will still be backported to older library releases so that all versions currently in use receive these updates.
+Because of this, *the minimum required Solidity compiler version is not part of the stability guarantees*, and users may be required to upgrade their compiler when using newer versions of Contracts. Bug fixes will still be backported to past major releases so that all versions currently in use receive these updates.
 
 You can read more about the rationale behind this, the other options we considered and why we went down this path https://github.com/OpenZeppelin/openzeppelin-contracts/issues/1498#issuecomment-449191611[here].