From: Joe Orton <jorton@apache.org>
Date: Tue, 16 Jun 2026 07:34:07 +0000 (+0000)
Subject: * SECURITY.md: Try to be more explicit about trunk-only code.
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3ab7342bdf9ada3e5cf4a45553f837692d9c2bbe;p=thirdparty%2Fapache%2Fhttpd.git

* SECURITY.md: Try to be more explicit about trunk-only code.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1935398 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/SECURITY.md b/SECURITY.md
index 24bf4e3f2c..8d6acfbe11 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -8,9 +8,9 @@ demonstrate how an attacker can violate the security model.
 ## Supported Versions
 
 Currently the only supported version is the latest patch release of the
-`2.4.x` stable branch. Vulnerabilities which exist *only* in
-unreleased branches (such as `trunk`) may be treated as normal bug
-reports.
+`2.4.x` stable branch.  Vulnerabilities which exist *only* in
+unreleased branches (such as `trunk`) should be reported as normal bug
+reports via <https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2>.
 
 ## Reporting Vulnerabilities
 
@@ -36,7 +36,8 @@ Any security vulnerability SHOULD be reproducible:
 1. under a reasonable, supported configuration.
 2. without using third-party modules, or modules explicitly designed
   for debugging.
-3. under a standard build on a supported platform.
+3. using the *latest* released sources published via <https://httpd.apache.org/download.cgi#apache24>.
+4. under a standard build, on a supported platform.
 
 Issues which are reproducible only using instrumented builds (such as
 ASAN, or under valgrind) should be clearly explained as such.