1Security Policy 2=============== 3 4This file describes how security issues are reported and handled, and what the 5expectations are for security issues reported to this project. 6 7 8Responsible Disclosure 9---------------------- 10 11With *responsible disclosure*, a security issue (and its fix) is disclosed only 12after a mutually-agreed period of time (the "embargo date"). The issue and fix 13are shared amongst and reviewed by the key stakeholders (Linux distributions, 14OS vendors, etc.) and the CERT/CC. Fixes are released to the public on the 15agreed-upon date. 16 17> Responsible disclosure applies only to production releases. A security 18> vulnerability that only affects unreleased code can be fixed immediately 19> without coordination. Vendors *should not* package and release unstable 20> snapshots, beta releases, or release candidates of this software. 21 22 23Supported Versions 24------------------ 25 26All production releases of this software are subject to this security policy. A 27production release is tagged and given a semantic version number of the form: 28 29 MAJOR.MINOR.PATCH 30 31where "MAJOR" is an integer starting at 1 and "MINOR" and "PATCH" are integers 32starting at 0. A feature release has a "PATCH" value of 0, for example: 33 34 1.0.0 35 1.1.0 36 2.0.0 37 38Beta releases and release candidates are *not* prodution releases and use 39semantic version numbers of the form: 40 41 MAJOR.MINORbNUMBER 42 MAJOR.MINORrcNUMBER 43 44where "MAJOR" and "MINOR" identify the new feature release version number and 45"NUMBER" identifies a beta or release candidate number starting at 1, for 46example: 47 48 1.0b1 49 1.0b2 50 1.0rc1 51 52 53Reporting a Vulnerability 54------------------------- 55 56Github supports private security advisories and OpenPrinting CUPS enabled 57their usage, report all security issue via them. Reporters can file a security 58advisory by clicking on `New issue` at tab `Issues` and choose `Report a vulnerability`. 59Provide details, impact, reproducer, affected versions, workarounds and patch 60for the vulnerability if there are any and estimate severity when creating the advisory. 61Expect a response within 5 business days. Once OpenPrinting group agree on the patch 62and announce it on `distros@vs.openwall.org`, there is embargo period 7-10 days long. 63