SECURITY.md 2.2 KB
Security policy for GNU libmicrohttpd
Supported Versions
We support both the most recent stable release series (1.x) and the current development release series (2.x).
Signed Releases
All commits and releases (the files on ftp.gnu.org) are signed by a maintainer. Each maintainer uses their personal GPG key known to and verified by the GNU project.
Reporting a Vulnerability
If you think you've identified a security issue in GNU libmicrohttpd, please do not report the issue publicly via a mailing list, IRC, a public issue on the GitLab issue tracker, a merge request, or any other public venue.
Instead, report a confidential ("private") issue in the Mantis issue tracker] with the “private” box checked. Please include as many details as possible, including ideally a minimal reproducible example of the issue, and an idea of how exploitable/severe you think it is.
Private issues are only visible to the reporter and the core developer team.
The next steps are then:
- The report is triaged.
- Code is audited to find any potential similar problems.
- The fix is prepared for the development branch, and for the most recent stable branch.
- The fix is submitted to the public repository and a new release containing the fix is issued.
- On the day the issue and fix are made public, an announcement is made on the public channels listed below.
As per the GNU security processes you may escalate the report with the GNU project if -- for any reason -- the GNU libmicrohttpd maintainers are unable to respond in a timely fashion.
Security Announcements
Security announcements are made publicly via the GNU libmicrohttpd mailinglist.
Acknowledgements
This text was partially based on the Gnome Glib security policy.