diff options
author | Paulo Gomes <pjbgf@linux.com> | 2023-06-05 08:12:37 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-06-05 08:12:37 +0100 |
commit | d4b7c8f42f0751cf34a3f4088dd9f00a63fd866b (patch) | |
tree | 54bb3a1fdf741072eaff5e00c5afeec54b6f1595 /SECURITY.md | |
parent | dd067af60e33a9aaf156186eeb143816e0748335 (diff) | |
parent | 42b41aa8925782ac08c329576e3e843a41e0d6f8 (diff) | |
download | go-git-d4b7c8f42f0751cf34a3f4088dd9f00a63fd866b.tar.gz |
Merge pull request #784 from pjbgf/sec
Add SECURITY.md
Diffstat (limited to 'SECURITY.md')
-rw-r--r-- | SECURITY.md | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..0d2f8d0 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,38 @@ +# go-git Security Policy + +The purpose of this security policy is to outline `go-git`'s process +for reporting, handling and disclosing security sensitive information. + +## Supported Versions + +The project follows a version support policy where only the latest minor +release is actively supported. Therefore, only issues that impact the latest +minor release will be fixed. Users are encouraged to upgrade to the latest +minor/patch release to benefit from the most up-to-date features, bug fixes, +and security enhancements. + +The supported versions policy applies to both the `go-git` library and its +associated repositories within the `go-git` org. + +## Reporting Security Issues + +Please report any security vulnerabilities or potential weaknesses in `go-git` +privately via go-git-security@googlegroups.com. Do not publicly disclose the +details of the vulnerability until a fix has been implemented and released. + +During the process the project maintainers will investigate the report, so please +provide detailed information, including steps to reproduce, affected versions, and any mitigations if known. + +The project maintainers will acknowledge the receipt of the report and work with +the reporter to validate and address the issue. + +Please note that `go-git` does not have any bounty programs, and therefore do +not provide financial compensation for disclosures. + +## Security Disclosure Process + +The project maintainers will make every effort to promptly address security issues. + +Once a security vulnerability is fixed, a security advisory will be published to notify users and provide appropriate mitigation measures. + +All `go-git` advisories can be found at https://github.com/go-git/go-git/security/advisories. |