]>
Commit | Line | Data |
---|---|---|
07db3f14 AJ |
1 | # Security Policy |
2 | ||
3 | ## Supported Versions | |
4 | ||
5 | Security-related reports are considered for official numbered releases | |
6 | starting with v3.5. However, issues that do not affect the current Stable or | |
7 | Beta series are unlikely to be fixed. Please see | |
8 | http://www.squid-cache.org/Versions/ for the list of releases that belong to | |
9 | the current series. | |
10 | ||
11 | Reports about security issues in the Development series are welcomed. However, | |
12 | development series contains experimental code that does not qualify for CVE | |
13 | allocation. | |
14 | ||
15 | ||
16 | ## Reporting a Vulnerability | |
17 | ||
18 | To report security-sensitive bugs, please post to the squid-bugs mailing | |
19 | (list)[http://www.squid-cache.org/Support/mailing-lists.html#squid-bugs]. It | |
20 | is a closed list (although anyone can post), and security related bug reports | |
21 | are treated in confidence at least until the impact has been established. | |
22 | ||
23 | The security team strives to manually acknowledge each new report within 48 | |
24 | hours. Please feel free to email a reminder if you have not heard from us | |
25 | within that time frame. | |
26 | ||
27 | As a _last_ resort (e.g., if the squid-bugs contact point appears to be | |
28 | broken), contact the release maintainer directly. The maintainer is on the | |
29 | security team but may not be able to respond promptly. | |
30 | ||
31 | ||
32 | ### Encrypted reports | |
33 | ||
34 | Reporters wishing to encrypt their vulnerability reports can request GPG | |
35 | public keys from the security team members via the squid-bugs mailing list. | |
36 | Please note that encrypting reports may slow down their handling and is | |
37 | unlikely to improve the overall security of the process. |