diff options
-rw-r--r-- | SECURITY.md | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..34303f1267 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,32 @@ +# GnuTLS -- Information about our security issue handling process + + Security issues are reported either to [issue tracker](https://gitlab.com/gnutls/gnutls/issues) +as private bugs, or on the bug report mail address. + +The following steps describe the steps we recommend to use to address the +issue. + +# Which issues are security issues + +A metric we consult to assessing security vulnerabilities is +the [CVSS](https://www.first.org/cvss) metric. Only vulnerabilities +at the high or critical level are handled with this process. Other +issues are handled with the normal release process. + +# Committing a fix + +The fix when is made available, preferrably within 3 months of the report, +is pushed to the repository using a detailed message on all supported +branches which are affected. The commit message must refer to the bug +report addressed (e.g., our issue tracker or some external issue tracker). + +# Releasing + +Currently our releases are time-based, thus there are no special releases +targetting security fixes. At release time the NEWS entries must reflect +the issues addressed (also referring to the relevant issue trackers), and +security-related entries get assigned a GNUTLS-SA (gnutls security advisory +number). The assignment is done at release time at the web repository, in +the 'security-entries' path. The number assigned is the year separated +with a dash with the first unassigned number for the year. + |