1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
# Security Policies and Procedures
This document outlines security procedures and general policies for Chafa.
## Reporting a Bug
We are grateful for the testing and analysis carried out by the community. All
bug reports are taken seriously.
Normally, bugs can be filed directly in the public GitHub issue tracker, but if
you believe there is a security impact, please contact the lead maintainer at
his e-mail address <hpj@hpjansson.org> instead.
We will most likely respond within 48 hours, but since Chafa is a volunteer
project, please allow up to a week for those rare times we're away from the
keyboard or general connectivity.
When a fix is published, you will receive credit under your real name or bug
tracker handle in the NEWS document and possibly elsewhere (GitHub, blog post,
etc). If you prefer to remain anonymous or pseudonymous, you should mention
this in your e-mail.
## Disclosure Policy
The maintainer will coordinate the fix and release process, involving the
following steps:
* Confirm the problem and determine the affected versions.
* Audit code to find any potential similar problems.
* Prepare fixes for all releases still under maintenance. These fixes will be
released as fast as possible.
You may be asked to provide further information in pursuit of a fix.
## Comments on this Policy
If you have suggestions on how this process could be improved, please submit an
issue or pull request.
|
