--- /dev/null
+# Security Policy
+
+## Supported Versions
+
+Security-related reports are considered for official numbered releases
+starting with v3.5. However, issues that do not affect the current Stable or
+Beta series are unlikely to be fixed. Please see
+http://www.squid-cache.org/Versions/ for the list of releases that belong to
+the current series.
+
+Reports about security issues in the Development series are welcomed. However,
+development series contains experimental code that does not qualify for CVE
+allocation.
+
+
+## Reporting a Vulnerability
+
+To report security-sensitive bugs, please post to the squid-bugs mailing
+(list)[http://www.squid-cache.org/Support/mailing-lists.html#squid-bugs]. It
+is a closed list (although anyone can post), and security related bug reports
+are treated in confidence at least until the impact has been established.
+
+The security team strives to manually acknowledge each new report within 48
+hours. Please feel free to email a reminder if you have not heard from us
+within that time frame.
+
+As a _last_ resort (e.g., if the squid-bugs contact point appears to be
+broken), contact the release maintainer directly. The maintainer is on the
+security team but may not be able to respond promptly.
+
+
+### Encrypted reports
+
+Reporters wishing to encrypt their vulnerability reports can request GPG
+public keys from the security team members via the squid-bugs mailing list.
+Please note that encrypting reports may slow down their handling and is
+unlikely to improve the overall security of the process.
projects / thirdparty / squid.git / commitdiff
