SECURITY.md

   1 # Security Policy
   2
   3 ## Supported Versions
   4
   5 Security-related reports are considered for official numbered releases
   6 starting with v3.5. However, issues that do not affect the current Stable or
   7 Beta series are unlikely to be fixed. Please see
   8 http://www.squid-cache.org/Versions/ for the list of releases that belong to
   9 the current series.
  10
  11 Reports about security issues in the Development series are welcomed. However,
  12 development series contains experimental code that does not qualify for CVE
  13 allocation.
  14
  15
  16 ## Reporting a Vulnerability
  17
  18 To report security-sensitive bugs, please post to the squid-bugs mailing
  19 (list)[http://www.squid-cache.org/Support/mailing-lists.html#squid-bugs]. It
  20 is a closed list (although anyone can post), and security related bug reports
  21 are treated in confidence at least until the impact has been established.
  22
  23 The security team strives to manually acknowledge each new report within 48
  24 hours. Please feel free to email a reminder if you have not heard from us
  25 within that time frame.
  26
  27 As a _last_ resort (e.g., if the squid-bugs contact point appears to be
  28 broken), contact the release maintainer directly. The maintainer is on the
  29 security team but may not be able to respond promptly.
  30
  31
  32 ### Encrypted reports
  33
  34 Reporters wishing to encrypt their vulnerability reports can request GPG
  35 public keys from the security team members via the squid-bugs mailing list.
  36 Please note that encrypting reports may slow down their handling and is
  37 unlikely to improve the overall security of the process.