SECURITY.md: Further clarify security adv. policy
Security advisories should only be filed against official releases.
This commit is contained in:
DRC
22
.github/SECURITY.md
vendored
22
.github/SECURITY.md
vendored
@@ -17,19 +17,23 @@ Vulnerabilities can be reported in one of the following ways:
|
||||
Note that security advisories are reserved for security researchers who fully
|
||||
understand the Common Vulnerability Scoring System (CVSS), Common Weakness
|
||||
Enumeration (CWE), and Common Vulnerabilities and Exposures (CVE) Program and
|
||||
who are prepared to demonstrate a known or probable exploit for an issue.
|
||||
For example, if a buffer overrun, an uninitialized read, or undefined
|
||||
behavior can be triggered by malformed data passed to a public libjpeg-turbo
|
||||
API function from an otherwise well-behaved calling program, then it merits
|
||||
investigation as a potential security issue. If, however, the calling
|
||||
program itself is malformed and could not work properly with any image, then
|
||||
its inevitable failure is not a security issue. Such failures can be
|
||||
reported using a
|
||||
who are prepared to demonstrate a known or probable exploit for an issue that
|
||||
exists in an official release of libjpeg-turbo. For example, if a buffer
|
||||
overrun, an uninitialized read, or undefined behavior can be triggered by
|
||||
malformed data passed to a public libjpeg-turbo API function from an
|
||||
otherwise well-behaved calling program, then it merits investigation as a
|
||||
potential security issue. If, however, the calling program itself is
|
||||
malformed and could not work properly with any image, then its inevitable
|
||||
failure is not a security issue. Such failures can be reported using a
|
||||
[GitHub bug report](https://github.com/libjpeg-turbo/libjpeg-turbo/issues/new/choose),
|
||||
and they will be investigated as potential opportunities for user proofing.
|
||||
- [Alpha/Evolving, Beta, and Post-Beta release series](https://libjpeg-turbo.org/DeveloperInfo/Versioning)
|
||||
- [Beta and Post-Beta release series](https://libjpeg-turbo.org/DeveloperInfo/Versioning)
|
||||
are not expected to be free of bugs, so vulnerabilities that affect only
|
||||
those release series (for example, vulnerabilities introduced by a new
|
||||
feature that is not present in a Stable release series) can optionally be
|
||||
reported using a
|
||||
[GitHub bug report](https://github.com/libjpeg-turbo/libjpeg-turbo/issues/new/choose).
|
||||
Vulnerabilities that affect only
|
||||
[Alpha/Evolving release series](https://libjpeg-turbo.org/DeveloperInfo/Versioning)
|
||||
should always be reported using a
|
||||
[GitHub bug report](https://github.com/libjpeg-turbo/libjpeg-turbo/issues/new/choose).
|
||||
|
||||
Reference in New Issue
Block a user