From 5e974797bd8050c2d425a706670254ad0323404d Mon Sep 17 00:00:00 2001 From: Sylvestre Ledru Date: Sun, 14 Sep 2025 13:56:20 +0200 Subject: [PATCH] Document the security process (#8633) * Document the security process Closes: #8553 * Update SECURITY.md Co-authored-by: Daniel Hofstetter * Update SECURITY.md Co-authored-by: Daniel Hofstetter --------- Co-authored-by: Daniel Hofstetter --- SECURITY.md | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..5cc437d4b --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,44 @@ +# Security Policy + +## Supported Versions + +We provide security updates only for the latest released version of `uutils/coreutils`. +Older versions may not receive patches. +If you are using a version packaged by your Linux distribution, please check with your distribution maintainers for their update policy. + +--- + +## Reporting a Vulnerability + +**Do not open public GitHub issues for security vulnerabilities.** +This prevents accidental disclosure before a fix is available. + +Instead, please use the following method: + +- **Email:** [sylvestre@debian.org](mailto:Sylvestre@debian.org) +- **Encryption (optional):** You may encrypt your report using our PGP key: +Fingerprint: B60D B599 4D39 BEC4 D1A9 5CCF 7E65 28DA 752F 1BE1 +--- + +### What to Include in Your Report + +To help us investigate and resolve the issue quickly, please include as much detail as possible: + +- **Type of issue:** e.g. privilege escalation, information disclosure. +- **Location in the source:** file path, commit hash, branch, or tag. +- **Steps to reproduce:** exact commands, test cases, or scripts. +- **Special configuration:** any flags, environment variables, or system setup required. +- **Affected systems:** OS/distribution and version(s) where the issue occurs. +- **Impact:** your assessment of the potential severity (DoS, RCE, data leak, etc.). + +--- + +## Disclosure Policy + +We follow a **Coordinated Vulnerability Disclosure (CVD)** process: + +1. We will acknowledge receipt of your report within **10 days**. +2. We will investigate, reproduce, and assess the issue. +3. We will provide a timeline for developing and releasing a fix. +4. Once a fix is available, we will publish a GitHub Security Advisory. +5. You will be credited in the advisory unless you request anonymity.