mirror of
https://github.com/decke/smtprelay.git
synced 2025-12-25 07:43:06 -07:00
Create SECURITY.md (#175)
Create a initial security policy This is based on a document from the OpenSSF scorecard project https://github.com/ossf/scorecard/blob/main/SECURITY.md
This commit is contained in:
Bernhard Fröhlich
committed by
GitHub
GitHub
parent
dfd7620a64
commit
687c793203
51
SECURITY.md
Normal file
51
SECURITY.md
Normal file
@@ -0,0 +1,51 @@
|
|||||||
|
# smtprelay Security Policy
|
||||||
|
|
||||||
|
This document outlines security procedures and general policies for the
|
||||||
|
smtprelay project.
|
||||||
|
|
||||||
|
## Supported Versions
|
||||||
|
|
||||||
|
The latest release is the only supported release.
|
||||||
|
|
||||||
|
|
||||||
|
## Disclosing a security issue
|
||||||
|
|
||||||
|
The smtprelay maintainers take all security issues in the project seriously.
|
||||||
|
Thank you for improving the security of the project! We appreciate your
|
||||||
|
dedication to responsible disclosure and will make every effort to acknowledge
|
||||||
|
your contributions.
|
||||||
|
|
||||||
|
smtprelay leverages GitHub's private vulnerability reporting.
|
||||||
|
|
||||||
|
To learn more about this feature and how to submit a vulnerability report,
|
||||||
|
review [GitHub's documentation on private reporting](https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability).
|
||||||
|
|
||||||
|
Here are some helpful details to include in your report:
|
||||||
|
|
||||||
|
- a detailed description of the issue
|
||||||
|
- the steps required to reproduce the issue
|
||||||
|
- versions of the project that may be affected by the issue
|
||||||
|
- if known, any mitigations for the issue
|
||||||
|
|
||||||
|
A maintainer will acknowledge the report within three (3) business days, and
|
||||||
|
will send a more detailed response within an additional three (3) business days
|
||||||
|
indicating the next steps in handling your report.
|
||||||
|
|
||||||
|
After the initial reply to your report, the maintainers will endeavor to keep
|
||||||
|
you informed of the progress towards a fix and full announcement, and may ask
|
||||||
|
for additional information or guidance.
|
||||||
|
|
||||||
|
## Vulnerability management
|
||||||
|
|
||||||
|
When the maintainers receive a disclosure report, they will coordinate the
|
||||||
|
fix and release process, which involves the following steps:
|
||||||
|
|
||||||
|
- confirming the issue
|
||||||
|
- determining affected versions of the project
|
||||||
|
- auditing code to find any potential similar problems
|
||||||
|
- preparing fixes for all releases under maintenance
|
||||||
|
|
||||||
|
## Suggesting changes
|
||||||
|
|
||||||
|
If you have suggestions on how this process could be improved please submit an
|
||||||
|
issue or pull request.
|
||||||
Reference in New Issue
Block a user