SECURITY.md: Further clarify security adv. policy
Security advisories should only be filed against official releases.
This commit is contained in:
DRC
22
.github/SECURITY.md
vendored
22
.github/SECURITY.md
vendored
@@ -17,19 +17,23 @@ Vulnerabilities can be reported in one of the following ways:
|
|||||||
Note that security advisories are reserved for security researchers who fully
|
Note that security advisories are reserved for security researchers who fully
|
||||||
understand the Common Vulnerability Scoring System (CVSS), Common Weakness
|
understand the Common Vulnerability Scoring System (CVSS), Common Weakness
|
||||||
Enumeration (CWE), and Common Vulnerabilities and Exposures (CVE) Program and
|
Enumeration (CWE), and Common Vulnerabilities and Exposures (CVE) Program and
|
||||||
who are prepared to demonstrate a known or probable exploit for an issue.
|
who are prepared to demonstrate a known or probable exploit for an issue that
|
||||||
For example, if a buffer overrun, an uninitialized read, or undefined
|
exists in an official release of libjpeg-turbo. For example, if a buffer
|
||||||
behavior can be triggered by malformed data passed to a public libjpeg-turbo
|
overrun, an uninitialized read, or undefined behavior can be triggered by
|
||||||
API function from an otherwise well-behaved calling program, then it merits
|
malformed data passed to a public libjpeg-turbo API function from an
|
||||||
investigation as a potential security issue. If, however, the calling
|
otherwise well-behaved calling program, then it merits investigation as a
|
||||||
program itself is malformed and could not work properly with any image, then
|
potential security issue. If, however, the calling program itself is
|
||||||
its inevitable failure is not a security issue. Such failures can be
|
malformed and could not work properly with any image, then its inevitable
|
||||||
reported using a
|
failure is not a security issue. Such failures can be reported using a
|
||||||
[GitHub bug report](https://github.com/libjpeg-turbo/libjpeg-turbo/issues/new/choose),
|
[GitHub bug report](https://github.com/libjpeg-turbo/libjpeg-turbo/issues/new/choose),
|
||||||
and they will be investigated as potential opportunities for user proofing.
|
and they will be investigated as potential opportunities for user proofing.
|
||||||
- [Alpha/Evolving, Beta, and Post-Beta release series](https://libjpeg-turbo.org/DeveloperInfo/Versioning)
|
- [Beta and Post-Beta release series](https://libjpeg-turbo.org/DeveloperInfo/Versioning)
|
||||||
are not expected to be free of bugs, so vulnerabilities that affect only
|
are not expected to be free of bugs, so vulnerabilities that affect only
|
||||||
those release series (for example, vulnerabilities introduced by a new
|
those release series (for example, vulnerabilities introduced by a new
|
||||||
feature that is not present in a Stable release series) can optionally be
|
feature that is not present in a Stable release series) can optionally be
|
||||||
reported using a
|
reported using a
|
||||||
[GitHub bug report](https://github.com/libjpeg-turbo/libjpeg-turbo/issues/new/choose).
|
[GitHub bug report](https://github.com/libjpeg-turbo/libjpeg-turbo/issues/new/choose).
|
||||||
|
Vulnerabilities that affect only
|
||||||
|
[Alpha/Evolving release series](https://libjpeg-turbo.org/DeveloperInfo/Versioning)
|
||||||
|
should always be reported using a
|
||||||
|
[GitHub bug report](https://github.com/libjpeg-turbo/libjpeg-turbo/issues/new/choose).
|
||||||
|
|||||||
Reference in New Issue
Block a user