aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaulo Gomes <pjbgf@linux.com>2023-06-05 08:12:37 +0100
committerGitHub <noreply@github.com>2023-06-05 08:12:37 +0100
commitd4b7c8f42f0751cf34a3f4088dd9f00a63fd866b (patch)
tree54bb3a1fdf741072eaff5e00c5afeec54b6f1595
parentdd067af60e33a9aaf156186eeb143816e0748335 (diff)
parent42b41aa8925782ac08c329576e3e843a41e0d6f8 (diff)
downloadgo-git-d4b7c8f42f0751cf34a3f4088dd9f00a63fd866b.tar.gz
Merge pull request #784 from pjbgf/sec
Add SECURITY.md
-rw-r--r--SECURITY.md38
1 files changed, 38 insertions, 0 deletions
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..0d2f8d0
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,38 @@
+# go-git Security Policy
+
+The purpose of this security policy is to outline `go-git`'s process
+for reporting, handling and disclosing security sensitive information.
+
+## Supported Versions
+
+The project follows a version support policy where only the latest minor
+release is actively supported. Therefore, only issues that impact the latest
+minor release will be fixed. Users are encouraged to upgrade to the latest
+minor/patch release to benefit from the most up-to-date features, bug fixes,
+and security enhancements.​
+
+The supported versions policy applies to both the `go-git` library and its
+associated repositories within the `go-git` org.
+
+## Reporting Security Issues
+
+Please report any security vulnerabilities or potential weaknesses in `go-git`
+privately via go-git-security@googlegroups.com. Do not publicly disclose the
+details of the vulnerability until a fix has been implemented and released.
+
+During the process the project maintainers will investigate the report, so please
+provide detailed information, including steps to reproduce, affected versions, and any mitigations if known.
+
+The project maintainers will acknowledge the receipt of the report and work with
+the reporter to validate and address the issue.
+
+Please note that `go-git` does not have any bounty programs, and therefore do
+not provide financial compensation for disclosures.
+
+## Security Disclosure Process
+
+The project maintainers will make every effort to promptly address security issues.
+
+Once a security vulnerability is fixed, a security advisory will be published to notify users and provide appropriate mitigation measures.
+
+All `go-git` advisories can be found at https://github.com/go-git/go-git/security/advisories.