1# Security Policy 2 3## How to Report 4 5If you believe you've found an issue that has security implications, please do 6not post a public issue on GitHub. Instead, email the project lead, Will Bond, 7at will@wbond.net. 8 9You should receive a response within two business days, and follow up emails 10during the process of confirming the potential issue. 11 12## Supported Versions 13 14The asn1crypto project only provides security patches for the most recent 15release. This is primarily a function of available resources. 16 17## Disclosure Process 18 19The following process is used when handling a potential secuirty issue: 20 21 1. The report should be emailed to will@wbond.net, and NOT posted on the 22 GitHub issue tracker. 23 2. Confirmation of receipt of the report should happen within two business 24 days. 25 3. Information will be collected and an investigation will be performed to 26 determine if a security issue exists. 27 4. If no security issue is found, the process will end. 28 5. A fix for the issue and announcement will be drafted. 29 6. A release schedule and accouncement will be negotiated between the 30 reporter and the project 31 7. The security contacts for Arch Linux, Conda, Debian, Fedora, FreeBSD, 32 Ubuntu, and Tidelift will be contacted to notify them of an upcoming 33 security release. 34 8. Fixes for all vulnerabilities will be performed, and new releases made, 35 but without mention of a security issue. These changes and releases will 36 be published before the announcement. 37 9. An announcement will be made disclosing the vulnerability and the fix. 38