kopia lustrzana https://github.com/collective/icalendar
Apply suggestion for security policy, copied from Pylons
See https://github.com/Pylons/.github/blob/main/SECURITY.md See https://github.com/collective/icalendar/pull/755#discussion_r1894708114pull/755/head
Nicco Kunzmann
rodzic
e43536e067
commit
0ec11d5351
|
|
@ -15,20 +15,42 @@ Security vulnerabilities are fixed only for the latest version of ``icalendar``.
|
|||
* - Version
|
||||
- Supported
|
||||
* - 6.*
|
||||
- ✅
|
||||
- YES
|
||||
* - 5.*
|
||||
- ❌
|
||||
- no
|
||||
* - 4.*
|
||||
- ❌
|
||||
- no
|
||||
* - < 4.*
|
||||
- ❌
|
||||
- no
|
||||
|
||||
|
||||
Reporting a Vulnerability
|
||||
-------------------------
|
||||
|
||||
Please `report vulnerabilities of icalendar to Plone
|
||||
<https://github.com/plone/.github/blob/main/SECURITY.md#readme>`_.
|
||||
If you cannot do this, please contact one of the
|
||||
:ref:`maintainers`
|
||||
directly or open an issue.
|
||||
To report security issues of ``collective/icalendar``, use the ``Report a vulnerability`` button on the project's `Security Page <https://github.com/collective/icalendar/security>`_.
|
||||
If you cannot do this, please contact one of the :ref:`maintainers` directly.
|
||||
|
||||
If we determine that your report may be a security issue with the project, we may contact you for further information.
|
||||
We volunteers ask that you delay public disclosure of your report for at least ninety (90) days from the date you report it to us.
|
||||
This will allow sufficient time for us to process your report and coordinate disclosure with you.
|
||||
|
||||
Once verified and fixed, the following steps will be taken:
|
||||
|
||||
- We will use GitHub's Security Advisory tool to report the issue.
|
||||
- GitHub will review our Security Advisory report for compliance with Common Vulnerabilities and Exposures (CVE) rules.
|
||||
If it is compliant, they will submit it to the MITRE Corporation to generate a `CVE <https://www.cve.org/>`_.
|
||||
This in turn submits the CVE to the `National Vulnerability Database (NVD) <https://nvd.nist.gov/vuln/search>`_.
|
||||
GitHub notifies us of their decision.
|
||||
- Assuming it is compliant, we then publish our Security Advisory on GitHub, which triggers the next steps.
|
||||
- GitHub will publish the CVE to the CVE List.
|
||||
- GitHub will broadcast our Security Advisory via the `GitHub Advisory Database <https://github.com/advisories`_.
|
||||
- GitHub will send `security alerts <https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies>`_ to all repositories that use our package (and have opted into security alerts).
|
||||
This includes Dependabot alerts.
|
||||
- We will make a bug-fix release.
|
||||
- We will send an announcement through our usual channels:
|
||||
|
||||
- The GitHub release
|
||||
- The GitHub discussions
|
||||
- The `Plone Community Forum <https://community.plone.org/>`_
|
||||
|
||||
- We will provide credit to the reporter or researcher in the vulnerability notice.
|
||||
|
|
|
|||
Ładowanie…
Reference in New Issue