diff --git a/SECURITY.md b/SECURITY.md index f30ec54ff9..20ffb4cf4f 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -7,35 +7,42 @@ SPDX-License-Identifier: Apache-2.0 # Security Policy ## Supported Versions + Our _release cycle_ for new features (minor [semver](https://semver.org/) update) -is roughly every two weeks (we will usually make a new release after each review). +is roughly every four weeks (we will usually make a new release after each sprint review). | Version | Security Fixes* | Supported** | | ------- | ------------------ | ------------------ | -| 4.x.x | :white_check_mark: | :white_check_mark: | -| 3.15.x | :white_check_mark: | :white_check_mark: | -| <= 2.9.x | :x: | :x: | -| < 2.0 | :x: | :x: | +| 5.x.x | :white_check_mark: | :white_check_mark: | +| 4.16.x | Critical issues only | :x: | +| <= 3.15.x | :x: | :x: | ### Major Release (Semver) + _Upcoming major updates_ will come with a time window in which both _major versions_ (starting with v2.x.x) -will receive security updates and bugfixes. The concrete support intervall will be probably a couple of months -and will be published when the next major version will be released. +will receive security updates and bugfixes. The concrete support interval will probably be a couple of months +and will be published when the next major version is released. ### Minor Release/Feature Releases (Semver) + We currently plan to provide support for the _latest minor [semver](https://semver.org/)_ release only. ### Patch Release/Bugfix/Security Fix + We try to make bugfixes and high severity fixes available as patch release for the current minor release as early as possible. ## Extended (Enterprise) Support -If you are interested in extended support for older versions with security updates of our project + +If you are interested in extended support for older versions with security updates of our project please get in touch with the project team via Slack or email . ## Reporting a Vulnerability -You have found a vulnerability in the project that shouldn't be disclosed as public issue before it's fixed? -Please get in touch with the project team via Slack or email . -You can expect a fast reaction within the next days. -We will keep you updated about the next steps and inform you if the vulnerability is accepted and when its fixed or if its ordeclined somehow. +You have found a vulnerability in the project that shouldn't be disclosed as a public issue before it's fixed? +Please report it using GitHub Security Advisories at https://github.com/secureCodeBox/secureCodeBox/security/advisories. + +If you are unable to use GitHub advisories, please email the project leaders at their OWASP email addresses that can be found under https://github.com/OWASP/www-project-securecodebox/blob/master/leaders.md. + +You can expect a fast reaction within the next few days. +We will keep you updated about the next steps and inform you if the vulnerability is accepted and when it's fixed or if it's declined somehow.