1# Security Process 2 3If you find a vulnerability in our software, please report it via 4GitHub "Private vulnerability reporting" feature at 5https://github.com/nghttp2/nghttp2/security instead of submitting 6issues on github issue page. It is a standard practice not to 7disclose vulnerability information publicly until a fixed version is 8released, or mitigation is worked out. 9 10If we identify that the reported issue is really a vulnerability, we 11open a new security advisory draft using [GitHub security 12feature](https://github.com/nghttp2/nghttp2/security) and discuss the 13mitigation and bug fixes there. The fixes are committed to the 14private repository. 15 16We write the security advisory and get CVE number from GitHub 17privately. We also discuss the disclosure date to the public. 18 19We make a new release with the fix at the same time when the 20vulnerability is disclosed to public. 21 22At least 7 days before the public disclosure date, we open a new issue 23on [nghttp2 issue tracker](https://github.com/nghttp2/nghttp2/issues) 24which notifies that the upcoming release will have a security fix. 25The `SECURITY` label is attached to this kind of issue. The issue is 26not opened if a vulnerability is already disclosed, and it is publicly 27known that nghttp2 is affected by that. 28 29Before few hours of new release, we merge the fixes to the master 30branch (and/or a release branch if necessary) and make a new release. 31Security advisory is disclosed on GitHub. 32