28 lines
1.0 KiB
Markdown
28 lines
1.0 KiB
Markdown
|
# Security Policy
|
||
|
|
|
||
|
|
## Reporting a Vulnerability
|
||
|
|
|
||
|
|
Please report security vulnerabilities by sending email to lgl@island-resort.com.
|
||
|
|
Please include "QCBOR SECURITY" in the subject line.
|
||
|
|
|
||
|
|
In most cases the vulnerability should not be reported by filing an issue in GitHub as this
|
||
|
|
will publically disclose the issue before a fix is available.
|
||
|
|
|
||
|
|
Laurence Lundblade maintains this code and will respond in a day or two with an initial
|
||
|
|
evaluation.
|
||
|
|
|
||
|
|
Security fixes will be prioritized over other work.
|
||
|
|
|
||
|
|
Vulnerabilities will be fixed promptly, but some may be more complex than others
|
||
|
|
and take longer. If the fix is quick, it will usually be turned around in a
|
||
|
|
few days.
|
||
|
|
|
||
|
|
## Availability of Fixes
|
||
|
|
|
||
|
|
When the fix has been created, it will be privately verified with the party that reported it.
|
||
|
|
Only after the fix has been verified and the reporter has had a chance to integrate the fix,
|
||
|
|
will it be made available as a public commit in GitHub.
|
||
|
|
|
||
|
|
If the reporter doesn't respond or can't integrate the fix, it will be made public after 30 days.
|
||
|
|
|