From: Nikos Mavrogiannopoulos Date: Tue, 21 Feb 2017 07:13:56 +0000 (+0100) Subject: Added SECURITY.md, a description of the security issue handling process X-Git-Tag: gnutls_3_6_0~972 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3fd3f58167d22bf1d2b6c8fccba804bf8ca5df91;p=thirdparty%2Fgnutls.git Added SECURITY.md, a description of the security issue handling process Signed-off-by: Nikos Mavrogiannopoulos --- diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..34303f1267 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,32 @@ +# GnuTLS -- Information about our security issue handling process + + Security issues are reported either to [issue tracker](https://gitlab.com/gnutls/gnutls/issues) +as private bugs, or on the bug report mail address. + +The following steps describe the steps we recommend to use to address the +issue. + +# Which issues are security issues + +A metric we consult to assessing security vulnerabilities is +the [CVSS](https://www.first.org/cvss) metric. Only vulnerabilities +at the high or critical level are handled with this process. Other +issues are handled with the normal release process. + +# Committing a fix + +The fix when is made available, preferrably within 3 months of the report, +is pushed to the repository using a detailed message on all supported +branches which are affected. The commit message must refer to the bug +report addressed (e.g., our issue tracker or some external issue tracker). + +# Releasing + +Currently our releases are time-based, thus there are no special releases +targetting security fixes. At release time the NEWS entries must reflect +the issues addressed (also referring to the relevant issue trackers), and +security-related entries get assigned a GNUTLS-SA (gnutls security advisory +number). The assignment is done at release time at the web repository, in +the 'security-entries' path. The number assigned is the year separated +with a dash with the first unassigned number for the year. +