USEFULL/gogs
1
0
Fork 0
mirror of https://github.com/gogs/gogs.git synced 2025-05-28 18:22:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: update security policy

Browse Source 
[skip ci]
This commit is contained in:
Joe Chen 2023-11-09 22:10:42 -05:00 committed by GitHub
parent 16b185f97d
commit 61940ca879
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
SECURITY.md
View File

@ -4,20 +4,21 @@
Only lastest two minor version releases are supported (>= 0.12) for accepting vulnerability reports and patching fixes. Only lastest two minor version releases are supported (>= 0.12) for accepting vulnerability reports and patching fixes.
Existing vulnerability reports are being tracked in [Gogs Vulnerability Reports](https://jcunknwon.notion.site/Gogs-Vulnerability-Reports-81d7df52e45c4f159274e46ba48ed1b9). Existing vulnerability reports are being tracked in [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories).
## Vulnerability lifecycle ## Vulnerability lifecycle
1. Report a vulnerability: > [!important]
- We strongly enourage to use https://huntr.dev/ for submitting and managing status of vulnerability reports. > Starting **Nov 9, 2023 00:00 UTC**, only security vulnerabilities reported through [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories/new) are accepted.
- Alternatively, you may send vulnerability reports through emails to [security@gogs.io](mailto:security@gogs.io). > Pre-existing vulnerability reported through https://huntr.dev/ or email (`security@gogs.io`) will continue to be worked through.
1. Create a [dummy issue](https://github.com/gogs/gogs/issues/6901) with high-level description of the security vulnerability for credibility and tracking purposes.
1. Report a vulnerability
1. Project maintainers review the report and either: 1. Project maintainers review the report and either:
- Ask clarifying questions - Ask clarifying questions
- Confirm or deny the vulnerability - Confirm or deny the vulnerability
1. Once the vulnerability is confirmed, the reporter may submit a patch or wait for project maintainers to patch. 1. Once the vulnerability is confirmed, the reporter may submit a patch or wait for project maintainers to patch.
- The latter is usually significantly slower. - The latter is usually significantly slower.
1. Patch releases will be made for the supported versions. 1. Patch releases will be made for the supported versions.
1. Publish the original vulnerability report and a new [GitHub security advisory](https://github.com/gogs/gogs/security/advisories). 1. Publish the report on [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories).
Thank you! Thank you!