1Security Process 2================ 3 4If you find a vulnerability in our software, please send the email to 5"tatsuhiro.t at gmail dot com" about its details instead of submitting 6issues on github issue page. It is a standard practice not to 7disclose vulnerability information publicly until a fixed version is 8released, or mitigation is worked out. In the future, we may setup a 9dedicated mail address for this purpose. 10 11If we identify that the reported issue is really a vulnerability, we 12open a new security advisory draft using `GitHub security feature 13<https://github.com/nghttp2/nghttp2/security>`_ and discuss the 14mitigation and bug fixes there. The fixes are committed to the 15private repository. 16 17We write the security advisory and get CVE number from GitHub 18privately. We also discuss the disclosure date to the public. 19 20We make a new release with the fix at the same time when the 21vulnerability is disclosed to public. 22 23At least 7 days before the public disclosure date, we will post 24security advisory (which includes all the details of the vulnerability 25and the possible mitigation strategies) and the patches to fix the 26issue to `distros@openwall 27<https://oss-security.openwall.org/wiki/mailing-lists/distros>`_ 28mailing list. We also open a new issue on `nghttp2 issue tracker 29<https://github.com/nghttp2/nghttp2/issues>`_ which notifies that the 30upcoming release will have a security fix. The ``SECURITY`` label is 31attached to this kind of issue. 32 33Before few hours of new release, we merge the fixes to the master 34branch (and/or a release branch if necessary) and make a new release. 35Security advisory is disclosed on GitHub. We also post the 36vulnerability information to `oss-security 37<https://oss-security.openwall.org/wiki/mailing-lists/oss-security>`_ 38mailing list. 39