projects / thirdparty / squid.git / blame
| Commit | Line | Data |
|---|---|---|
| 07db3f14 AJ |
1 | # Security Policy |
| 2 | ||
| 3 | ## Supported Versions | |
| 4 | ||
| 5 | Security-related reports are considered for official numbered releases | |
| 6 | starting with v3.5. However, issues that do not affect the current Stable or | |
| 7 | Beta series are unlikely to be fixed. Please see | |
| 8 | http://www.squid-cache.org/Versions/ for the list of releases that belong to | |
| 9 | the current series. | |
| 10 | ||
| 11 | Reports about security issues in the Development series are welcomed. However, | |
| 12 | development series contains experimental code that does not qualify for CVE | |
| 13 | allocation. | |
| 14 | ||
| 15 | ||
| 16 | ## Reporting a Vulnerability | |
| 17 | ||
| 18 | To report security-sensitive bugs, please post to the squid-bugs mailing | |
| 19 | (list)[http://www.squid-cache.org/Support/mailing-lists.html#squid-bugs]. It | |
| 20 | is a closed list (although anyone can post), and security related bug reports | |
| 21 | are treated in confidence at least until the impact has been established. | |
| 22 | ||
| 23 | The security team strives to manually acknowledge each new report within 48 | |
| 24 | hours. Please feel free to email a reminder if you have not heard from us | |
| 25 | within that time frame. | |
| 26 | ||
| 27 | As a _last_ resort (e.g., if the squid-bugs contact point appears to be | |
| 28 | broken), contact the release maintainer directly. The maintainer is on the | |
| 29 | security team but may not be able to respond promptly. | |
| 30 | ||
| 31 | ||
| 32 | ### Encrypted reports | |
| 33 | ||
| 34 | Reporters wishing to encrypt their vulnerability reports can request GPG | |
| 35 | public keys from the security team members via the squid-bugs mailing list. | |
| 36 | Please note that encrypting reports may slow down their handling and is | |
| 37 | unlikely to improve the overall security of the process. |