[thirdparty/git.git] / SECURITY.md

# Security Policy

## Reporting a vulnerability

Please send a detailed mail to git-security@googlegroups.com to
report vulnerabilities in Git.

Even when unsure whether the bug in question is an exploitable
vulnerability, it is recommended to send the report to
git-security@googlegroups.com (and obviously not to discuss the
issue anywhere else).

Vulnerabilities are expected to be discussed _only_ on that
list, and not in public, until the official announcement on the
Git mailing list on the release date.

Examples for details to include:

- Ideally a short description (or a script) to demonstrate an
  exploit.
- The affected platforms and scenarios (the vulnerability might
  only affect setups with case-sensitive file systems, for
  example).
- The name and affiliation of the security researchers who are
  involved in the discovery, if any.
- Whether the vulnerability has already been disclosed.
- How long an embargo would be required to be safe.

## Supported Versions

There are no official "Long Term Support" versions in Git.
Instead, the maintenance track (i.e. the versions based on the
most recently published feature release, also known as ".0"
version) sees occasional updates with bug fixes.

Fixes to vulnerabilities are made for the maintenance track for
the latest feature release and merged up to the in-development
branches. The Git project makes no formal guarantee for any
older maintenance tracks to receive updates. In practice,
though, critical vulnerability fixes are applied not only to the
most recent track, but to at least a couple more maintenance
tracks.

This is typically done by making the fix on the oldest and still
relevant maintenance track, and merging it upwards to newer and
newer maintenance tracks.

For example, v2.24.1 was released to address a couple of
[CVEs](https://cve.mitre.org/), and at the same time v2.14.6,
v2.15.4, v2.16.6, v2.17.3, v2.18.2, v2.19.3, v2.20.2, v2.21.1,
v2.22.2 and v2.23.1 were released.
Commit	Line	Data
2e99b1e3 JS	1	# Security Policy
	2
	3	## Reporting a vulnerability
	4
	5	Please send a detailed mail to git-security@googlegroups.com to
	6	report vulnerabilities in Git.
	7
	8	Even when unsure whether the bug in question is an exploitable
	9	vulnerability, it is recommended to send the report to
	10	git-security@googlegroups.com (and obviously not to discuss the
	11	issue anywhere else).
	12
	13	Vulnerabilities are expected to be discussed _only_ on that
	14	list, and not in public, until the official announcement on the
	15	Git mailing list on the release date.
	16
	17	Examples for details to include:
	18
	19	- Ideally a short description (or a script) to demonstrate an
	20	exploit.
	21	- The affected platforms and scenarios (the vulnerability might
	22	only affect setups with case-sensitive file systems, for
	23	example).
	24	- The name and affiliation of the security researchers who are
	25	involved in the discovery, if any.
	26	- Whether the vulnerability has already been disclosed.
	27	- How long an embargo would be required to be safe.
	28
	29	## Supported Versions
	30
	31	There are no official "Long Term Support" versions in Git.
	32	Instead, the maintenance track (i.e. the versions based on the
	33	most recently published feature release, also known as ".0"
	34	version) sees occasional updates with bug fixes.
	35
	36	Fixes to vulnerabilities are made for the maintenance track for
	37	the latest feature release and merged up to the in-development
	38	branches. The Git project makes no formal guarantee for any
	39	older maintenance tracks to receive updates. In practice,
	40	though, critical vulnerability fixes are applied not only to the
	41	most recent track, but to at least a couple more maintenance
	42	tracks.
	43
	44	This is typically done by making the fix on the oldest and still
	45	relevant maintenance track, and merging it upwards to newer and
	46	newer maintenance tracks.
	47
	48	For example, v2.24.1 was released to address a couple of
	49	[CVEs](https://cve.mitre.org/), and at the same time v2.14.6,
	50	v2.15.4, v2.16.6, v2.17.3, v2.18.2, v2.19.3, v2.20.2, v2.21.1,
	51	v2.22.2 and v2.23.1 were released.