1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
# Security policies
## Release security
The PCRE2 project provides source-only releases, with no binaries.
These source releases can be downloaded from the
[GitHub Releases](https://github.com/PCRE2Project/pcre2/releases) page. Each
release file is GPG-signed.
* Releases up to and including 10.44 are signed by Philip Hazel (GPG key:
<kbd>45F68D54BBE23FB3039B46E59766E084FB0F43D8</kbd>)
* Releases from 10.45 onwards will be signed by Nicholas Wilson (GPG key:
<kbd>A95536204A3BB489715231282A98E77EB6F24CA8</kbd>, cross-signed by Philip
Hazel's key for release continuity)
From releases 10.45 onwards, the source code will additionally be provided via
Git checkout of the (GPG-signed) release tag.
Please contact the maintainers for any queries about release integrity or the
project's supply-chain.
## Reporting vulnerabilities
The PCRE2 project prioritises security. We appreciate third-party testing and
security research, and would be grateful if you could responsibly disclose your
findings to us. We will make every effort to acknowledge your contributions.
To report a security issue, please use the GitHub Security Advisory
["Report a Vulnerability"](https://github.com/PCRE2Project/pcre2/security/advisories/new)
tab. (Alternatively, if you prefer you may send a GPG-encrypted email to one of
the maintainers.)
### Timeline
As a very small volunteer team, we cannot guarantee rapid response, but would
aim to respond within 1 week, or perhaps 2 during holidays.
### Response procedure
PCRE2 has never previously made a rapid or embargoed release in response to a
security incident. We would work with security managers from trusted downstream
distributors, such as major Linux distributions, before disclosing the
vulnerability publicly.
|
