diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-02-21 08:13:56 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-02-21 08:17:10 +0100 |
commit | 3fd3f58167d22bf1d2b6c8fccba804bf8ca5df91 (patch) | |
tree | 51db3ba9e8e9d9ff05ed678116596da30a1d9e8c | |
parent | 619acc1e884d778591d7f4c2ca2821d2bfd6aa52 (diff) | |
download | gnutls-3fd3f58167d22bf1d2b6c8fccba804bf8ca5df91.tar.gz |
Added SECURITY.md, a description of the security issue handling process
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | SECURITY.md | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..34303f1267 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,32 @@ +# GnuTLS -- Information about our security issue handling process + + Security issues are reported either to [issue tracker](https://gitlab.com/gnutls/gnutls/issues) +as private bugs, or on the bug report mail address. + +The following steps describe the steps we recommend to use to address the +issue. + +# Which issues are security issues + +A metric we consult to assessing security vulnerabilities is +the [CVSS](https://www.first.org/cvss) metric. Only vulnerabilities +at the high or critical level are handled with this process. Other +issues are handled with the normal release process. + +# Committing a fix + +The fix when is made available, preferrably within 3 months of the report, +is pushed to the repository using a detailed message on all supported +branches which are affected. The commit message must refer to the bug +report addressed (e.g., our issue tracker or some external issue tracker). + +# Releasing + +Currently our releases are time-based, thus there are no special releases +targetting security fixes. At release time the NEWS entries must reflect +the issues addressed (also referring to the relevant issue trackers), and +security-related entries get assigned a GNUTLS-SA (gnutls security advisory +number). The assignment is done at release time at the web repository, in +the 'security-entries' path. The number assigned is the year separated +with a dash with the first unassigned number for the year. + |