mirror of https://gitee.com/openkylin/cups.git
63 lines
2.2 KiB
Markdown
63 lines
2.2 KiB
Markdown
Security Policy
|
|
===============
|
|
|
|
This file describes how security issues are reported and handled, and what the
|
|
expectations are for security issues reported to this project.
|
|
|
|
|
|
Responsible Disclosure
|
|
----------------------
|
|
|
|
With *responsible disclosure*, a security issue (and its fix) is disclosed only
|
|
after a mutually-agreed period of time (the "embargo date"). The issue and fix
|
|
are shared amongst and reviewed by the key stakeholders (Linux distributions,
|
|
OS vendors, etc.) and the CERT/CC. Fixes are released to the public on the
|
|
agreed-upon date.
|
|
|
|
> Responsible disclosure applies only to production releases. A security
|
|
> vulnerability that only affects unreleased code can be fixed immediately
|
|
> without coordination. Vendors *should not* package and release unstable
|
|
> snapshots, beta releases, or release candidates of this software.
|
|
|
|
|
|
Supported Versions
|
|
------------------
|
|
|
|
All production releases of this software are subject to this security policy. A
|
|
production release is tagged and given a semantic version number of the form:
|
|
|
|
MAJOR.MINOR.PATCH
|
|
|
|
where "MAJOR" is an integer starting at 1 and "MINOR" and "PATCH" are integers
|
|
starting at 0. A feature release has a "PATCH" value of 0, for example:
|
|
|
|
1.0.0
|
|
1.1.0
|
|
2.0.0
|
|
|
|
Beta releases and release candidates are *not* prodution releases and use
|
|
semantic version numbers of the form:
|
|
|
|
MAJOR.MINORbNUMBER
|
|
MAJOR.MINORrcNUMBER
|
|
|
|
where "MAJOR" and "MINOR" identify the new feature release version number and
|
|
"NUMBER" identifies a beta or release candidate number starting at 1, for
|
|
example:
|
|
|
|
1.0b1
|
|
1.0b2
|
|
1.0rc1
|
|
|
|
|
|
Reporting a Vulnerability
|
|
-------------------------
|
|
|
|
Github supports private security advisories and OpenPrinting CUPS enabled
|
|
their usage, report all security issue via them. Reporters can file a security
|
|
advisory by clicking on `New issue` at tab `Issues` and choose `Report a vulnerability`.
|
|
Provide details, impact, reproducer, affected versions, workarounds and patch
|
|
for the vulnerability if there are any and estimate severity when creating the advisory.
|
|
Expect a response within 5 business days. Once OpenPrinting group agree on the patch
|
|
and announce it on `distros@vs.openwall.org`, there is embargo period 7-10 days long.
|