|
@@ -0,0 +1,51 @@
|
|
|
|
|
+# smtprelay Security Policy
|
|
|
|
|
+
|
|
|
|
|
+This document outlines security procedures and general policies for the
|
|
|
|
|
+smtprelay project.
|
|
|
|
|
+
|
|
|
|
|
+## Supported Versions
|
|
|
|
|
+
|
|
|
|
|
+The latest release is the only supported release.
|
|
|
|
|
+
|
|
|
|
|
+
|
|
|
|
|
+## Disclosing a security issue
|
|
|
|
|
+
|
|
|
|
|
+The smtprelay maintainers take all security issues in the project seriously.
|
|
|
|
|
+Thank you for improving the security of the project! We appreciate your
|
|
|
|
|
+dedication to responsible disclosure and will make every effort to acknowledge
|
|
|
|
|
+your contributions.
|
|
|
|
|
+
|
|
|
|
|
+smtprelay leverages GitHub's private vulnerability reporting.
|
|
|
|
|
+
|
|
|
|
|
+To learn more about this feature and how to submit a vulnerability report,
|
|
|
|
|
+review [GitHub's documentation on private reporting](https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability).
|
|
|
|
|
+
|
|
|
|
|
+Here are some helpful details to include in your report:
|
|
|
|
|
+
|
|
|
|
|
+- a detailed description of the issue
|
|
|
|
|
+- the steps required to reproduce the issue
|
|
|
|
|
+- versions of the project that may be affected by the issue
|
|
|
|
|
+- if known, any mitigations for the issue
|
|
|
|
|
+
|
|
|
|
|
+A maintainer will acknowledge the report within three (3) business days, and
|
|
|
|
|
+will send a more detailed response within an additional three (3) business days
|
|
|
|
|
+indicating the next steps in handling your report.
|
|
|
|
|
+
|
|
|
|
|
+After the initial reply to your report, the maintainers will endeavor to keep
|
|
|
|
|
+you informed of the progress towards a fix and full announcement, and may ask
|
|
|
|
|
+for additional information or guidance.
|
|
|
|
|
+
|
|
|
|
|
+## Vulnerability management
|
|
|
|
|
+
|
|
|
|
|
+When the maintainers receive a disclosure report, they will coordinate the
|
|
|
|
|
+fix and release process, which involves the following steps:
|
|
|
|
|
+
|
|
|
|
|
+- confirming the issue
|
|
|
|
|
+- determining affected versions of the project
|
|
|
|
|
+- auditing code to find any potential similar problems
|
|
|
|
|
+- preparing fixes for all releases under maintenance
|
|
|
|
|
+
|
|
|
|
|
+## Suggesting changes
|
|
|
|
|
+
|
|
|
|
|
+If you have suggestions on how this process could be improved please submit an
|
|
|
|
|
+issue or pull request.
|
Bernhard Fröhlich