SECURITY.md: Wordsmithing and clarifications
- Clarify that encrypted e-mail is optional. - Mention the new GitHub security advisory system. - Clarify that vulnerabilities against new features that are not yet in a Stable release series need not be reported securely.
This commit is contained in:
DRC
17
.github/SECURITY.md
vendored
17
.github/SECURITY.md
vendored
@@ -2,8 +2,21 @@
|
||||
|
||||
## Supported Versions
|
||||
|
||||
Any branch/release series that is in the [Next-Gen, Active, Maintenance, or Extended support category](https://libjpeg-turbo.org/DeveloperInfo/Versioning) is eligible for security updates.
|
||||
Fixes for security vulnerabilities are applied to any applicable branch/release
|
||||
series that is in the
|
||||
[Next-Gen, Active, Maintenance, or Extended support category](https://libjpeg-turbo.org/DeveloperInfo/Versioning).
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
To securely report vulnerabilities, [contact the project admin](https://libjpeg-turbo.org/About/Contact) using GPG-encrypted e-mail.
|
||||
Vulnerabilities can be reported in one of the following ways:
|
||||
|
||||
- [E-mail the project admin](https://libjpeg-turbo.org/About/Contact). You can
|
||||
optionally encrypt the e-mail using the provided public GPG key.
|
||||
- Open a
|
||||
[GitHub draft security advisory](https://github.com/libjpeg-turbo/libjpeg-turbo/security/advisories/new).
|
||||
- [Alpha/Evolving, Beta, and Post-Beta release series](https://libjpeg-turbo.org/DeveloperInfo/Versioning)
|
||||
are not expected to be free of bugs, so vulnerabilities that affect only
|
||||
those release series (for example, vulnerabilities introduced by a new
|
||||
feature that is not present in a Stable release series) can optionally be
|
||||
reported using a
|
||||
[GitHub bug report](https://github.com/libjpeg-turbo/libjpeg-turbo/issues/new/choose).
|
||||
|
||||
Reference in New Issue
Block a user