icalendar/docs/security.rst

Security Policy
===============

This documents the security policy and actions to take to secure the package and its deployment and use.

Supported Versions
------------------

Security vulnerabilities are fixed only for the latest version of ``icalendar``.

.. list-table:: Versions to receive security updates
   :widths: 25 25
   :header-rows: 1

   * - Version
     - Supported
   * - 6.*
     - YES
   * - 5.*
     - no
   * - 4.*
     - no
   * - before 4.*
     - no


Reporting a Vulnerability
-------------------------

To report security issues of ``collective/icalendar``, use the ``Report a vulnerability`` button on the project's `Security Page <https://github.com/collective/icalendar/security>`_.
If you cannot do this, please contact one of the :ref:`maintainers` directly.

The maintainers of ``icalendar`` will then notify `Plone's security team <https://plone.org/security/report>`_.

If we determine that your report may be a security issue with the project, we may contact you for further information.
We volunteers ask that you delay public disclosure of your report for at least ninety (90) days from the date you report it to us.
This will allow sufficient time for us to process your report and coordinate disclosure with you.

Once verified and fixed, the following steps will be taken:

-   We will use GitHub's Security Advisory tool to report the issue.
-   GitHub will review our Security Advisory report for compliance with Common Vulnerabilities and Exposures (CVE) rules.
    If it is compliant, they will submit it to the MITRE Corporation to generate a `CVE <https://www.cve.org/>`_.
    This in turn submits the CVE to the `National Vulnerability Database (NVD) <https://nvd.nist.gov/vuln/search>`_.
    GitHub notifies us of their decision.
-   Assuming it is compliant, we then publish `our Security Advisory <https://github.com/collective/icalendar/security/advisories>`_ on GitHub, which triggers the next steps.
-   GitHub will publish the CVE to the CVE List.
-   GitHub will broadcast our Security Advisory via the `GitHub Advisory Database <https://github.com/advisories>`_.
-   GitHub will send `security alerts <https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies>`_ to all repositories that use our package (and have opted into security alerts).
    This includes Dependabot alerts.
-   We will make a bug-fix release.
-   We will send an announcement through our usual channels:

    - The :ref:`Changelog`
    - The GitHub releases of ``icalendar``
    - If possible also `Plone's Security Announcements <https://plone.org/security/announcements>`_

-   We will provide credit to the reporter or researcher in the vulnerability notice.
Add Security Policy 2024-12-02 13:58:28 +00:00			`Security Policy`
			`===============`

Update docs/security.rst Co-authored-by: Steve Piercy <web@stevepiercy.com> 2024-12-21 23:57:38 +00:00			`This documents the security policy and actions to take to secure the package and its deployment and use.`
Add Security Policy 2024-12-02 13:58:28 +00:00
			`Supported Versions`
			`------------------`

Update docs/security.rst Co-authored-by: Steve Piercy <web@stevepiercy.com> 2024-12-21 23:57:59 +00:00			Security vulnerabilities are fixed only for the latest version of ``icalendar``.
Add Security Policy 2024-12-02 13:58:28 +00:00
			`.. list-table:: Versions to receive security updates`
			`:widths: 25 25`
			`:header-rows: 1`

			`* - Version`
			`- Supported`
			`* - 6.*`
Apply suggestion for security policy, copied from Pylons See https://github.com/Pylons/.github/blob/main/SECURITY.md See https://github.com/collective/icalendar/pull/755#discussion_r1894708114 2024-12-23 13:12:47 +00:00			`- YES`
Add Security Policy 2024-12-02 13:58:28 +00:00			`* - 5.*`
Apply suggestion for security policy, copied from Pylons See https://github.com/Pylons/.github/blob/main/SECURITY.md See https://github.com/collective/icalendar/pull/755#discussion_r1894708114 2024-12-23 13:12:47 +00:00			`- no`
Add Security Policy 2024-12-02 13:58:28 +00:00			`* - 4.*`
Apply suggestion for security policy, copied from Pylons See https://github.com/Pylons/.github/blob/main/SECURITY.md See https://github.com/collective/icalendar/pull/755#discussion_r1894708114 2024-12-23 13:12:47 +00:00			`- no`
correct process of disclosure 2024-12-23 13:21:19 +00:00			`* - before 4.*`
Apply suggestion for security policy, copied from Pylons See https://github.com/Pylons/.github/blob/main/SECURITY.md See https://github.com/collective/icalendar/pull/755#discussion_r1894708114 2024-12-23 13:12:47 +00:00			`- no`
Add Security Policy 2024-12-02 13:58:28 +00:00

			`Reporting a Vulnerability`
			`-------------------------`

Apply suggestion for security policy, copied from Pylons See https://github.com/Pylons/.github/blob/main/SECURITY.md See https://github.com/collective/icalendar/pull/755#discussion_r1894708114 2024-12-23 13:12:47 +00:00			To report security issues of ``collective/icalendar``, use the ``Report a vulnerability`` button on the project's `Security Page <https://github.com/collective/icalendar/security>`_.
			If you cannot do this, please contact one of the :ref:`maintainers` directly.

correct process of disclosure 2024-12-23 13:21:19 +00:00			The maintainers of ``icalendar`` will then notify `Plone's security team <https://plone.org/security/report>`_.

Apply suggestion for security policy, copied from Pylons See https://github.com/Pylons/.github/blob/main/SECURITY.md See https://github.com/collective/icalendar/pull/755#discussion_r1894708114 2024-12-23 13:12:47 +00:00			`If we determine that your report may be a security issue with the project, we may contact you for further information.`
			`We volunteers ask that you delay public disclosure of your report for at least ninety (90) days from the date you report it to us.`
			`This will allow sufficient time for us to process your report and coordinate disclosure with you.`

			`Once verified and fixed, the following steps will be taken:`

			`- We will use GitHub's Security Advisory tool to report the issue.`
			`- GitHub will review our Security Advisory report for compliance with Common Vulnerabilities and Exposures (CVE) rules.`
			If it is compliant, they will submit it to the MITRE Corporation to generate a `CVE <https://www.cve.org/>`_.
			This in turn submits the CVE to the `National Vulnerability Database (NVD) <https://nvd.nist.gov/vuln/search>`_.
			`GitHub notifies us of their decision.`
Add link to security advisory board 2025-01-18 17:43:02 +00:00			- Assuming it is compliant, we then publish `our Security Advisory <https://github.com/collective/icalendar/security/advisories>`_ on GitHub, which triggers the next steps.
Apply suggestion for security policy, copied from Pylons See https://github.com/Pylons/.github/blob/main/SECURITY.md See https://github.com/collective/icalendar/pull/755#discussion_r1894708114 2024-12-23 13:12:47 +00:00			`- GitHub will publish the CVE to the CVE List.`
correct process of disclosure 2024-12-23 13:21:19 +00:00			- GitHub will broadcast our Security Advisory via the `GitHub Advisory Database <https://github.com/advisories>`_.
Apply suggestion for security policy, copied from Pylons See https://github.com/Pylons/.github/blob/main/SECURITY.md See https://github.com/collective/icalendar/pull/755#discussion_r1894708114 2024-12-23 13:12:47 +00:00			- GitHub will send `security alerts <https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies>`_ to all repositories that use our package (and have opted into security alerts).
			`This includes Dependabot alerts.`
			`- We will make a bug-fix release.`
			`- We will send an announcement through our usual channels:`

correct process of disclosure 2024-12-23 13:21:19 +00:00			- The :ref:`Changelog`
			- The GitHub releases of ``icalendar``
			- If possible also `Plone's Security Announcements <https://plone.org/security/announcements>`_
Apply suggestion for security policy, copied from Pylons See https://github.com/Pylons/.github/blob/main/SECURITY.md See https://github.com/collective/icalendar/pull/755#discussion_r1894708114 2024-12-23 13:12:47 +00:00
			`- We will provide credit to the reporter or researcher in the vulnerability notice.`