mirror of
https://github.com/decke/smtprelay.git
synced 2025-12-24 23:32:34 -07:00
Create SECURITY.md (#175)
Create a initial security policy This is based on a document from the OpenSSF scorecard project https://github.com/ossf/scorecard/blob/main/SECURITY.md
This commit is contained in:
Bernhard Fröhlich
committed by
GitHub
GitHub
parent
dfd7620a64
commit
687c793203
51
SECURITY.md
Normal file
51
SECURITY.md
Normal file
@@ -0,0 +1,51 @@
|
||||
# smtprelay Security Policy
|
||||
|
||||
This document outlines security procedures and general policies for the
|
||||
smtprelay project.
|
||||
|
||||
## Supported Versions
|
||||
|
||||
The latest release is the only supported release.
|
||||
|
||||
|
||||
## Disclosing a security issue
|
||||
|
||||
The smtprelay maintainers take all security issues in the project seriously.
|
||||
Thank you for improving the security of the project! We appreciate your
|
||||
dedication to responsible disclosure and will make every effort to acknowledge
|
||||
your contributions.
|
||||
|
||||
smtprelay leverages GitHub's private vulnerability reporting.
|
||||
|
||||
To learn more about this feature and how to submit a vulnerability report,
|
||||
review [GitHub's documentation on private reporting](https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability).
|
||||
|
||||
Here are some helpful details to include in your report:
|
||||
|
||||
- a detailed description of the issue
|
||||
- the steps required to reproduce the issue
|
||||
- versions of the project that may be affected by the issue
|
||||
- if known, any mitigations for the issue
|
||||
|
||||
A maintainer will acknowledge the report within three (3) business days, and
|
||||
will send a more detailed response within an additional three (3) business days
|
||||
indicating the next steps in handling your report.
|
||||
|
||||
After the initial reply to your report, the maintainers will endeavor to keep
|
||||
you informed of the progress towards a fix and full announcement, and may ask
|
||||
for additional information or guidance.
|
||||
|
||||
## Vulnerability management
|
||||
|
||||
When the maintainers receive a disclosure report, they will coordinate the
|
||||
fix and release process, which involves the following steps:
|
||||
|
||||
- confirming the issue
|
||||
- determining affected versions of the project
|
||||
- auditing code to find any potential similar problems
|
||||
- preparing fixes for all releases under maintenance
|
||||
|
||||
## Suggesting changes
|
||||
|
||||
If you have suggestions on how this process could be improved please submit an
|
||||
issue or pull request.
|
||||
Reference in New Issue
Block a user