From 07db3f148b2f747e4434b0feb64bc6f82191a107 Mon Sep 17 00:00:00 2001 From: Amos Jeffries Date: Tue, 2 Jun 2020 04:05:02 +0000 Subject: [PATCH] Summarize Squid Project security policy (#630) As an added bonus, GitHub recognizes this file as one of the "Community health" files and refers folks filing security issues to it. --- SECURITY.md | 37 +++++++++++++++++++++++++++++++++++++ scripts/spell-check.sh | 2 +- 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..2c6d1e295f --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,37 @@ +# Security Policy + +## Supported Versions + +Security-related reports are considered for official numbered releases +starting with v3.5. However, issues that do not affect the current Stable or +Beta series are unlikely to be fixed. Please see +http://www.squid-cache.org/Versions/ for the list of releases that belong to +the current series. + +Reports about security issues in the Development series are welcomed. However, +development series contains experimental code that does not qualify for CVE +allocation. + + +## Reporting a Vulnerability + +To report security-sensitive bugs, please post to the squid-bugs mailing +(list)[http://www.squid-cache.org/Support/mailing-lists.html#squid-bugs]. It +is a closed list (although anyone can post), and security related bug reports +are treated in confidence at least until the impact has been established. + +The security team strives to manually acknowledge each new report within 48 +hours. Please feel free to email a reminder if you have not heard from us +within that time frame. + +As a _last_ resort (e.g., if the squid-bugs contact point appears to be +broken), contact the release maintainer directly. The maintainer is on the +security team but may not be able to respond promptly. + + +### Encrypted reports + +Reporters wishing to encrypt their vulnerability reports can request GPG +public keys from the security team members via the squid-bugs mailing list. +Please note that encrypting reports may slow down their handling and is +unlikely to improve the overall security of the process. diff --git a/scripts/spell-check.sh b/scripts/spell-check.sh index 337c1040a3..c313eb6201 100755 --- a/scripts/spell-check.sh +++ b/scripts/spell-check.sh @@ -58,7 +58,7 @@ for FILENAME in `git ls-files "$@"`; do *.sh|\ *.pre|\ *.pl|*.pl.in|*.pm|\ - *.dox|*.html|*.txt|\ + *.dox|*.html|*.md|*.txt|\ *.sql|\ errors/templates/ERR_*|\ INSTALL|README|QUICKSTART) -- 2.47.2