Skip to content

Commit

Permalink
Create SECURITY.md (#175)
Browse files Browse the repository at this point in the history 
Create a initial security policy

This is based on a document from the OpenSSF scorecard project

https://github.com/ossf/scorecard/blob/main/SECURITY.md
  • Loading branch information
@decke
decke authored Feb 4, 2025
1 parent dfd7620 commit 687c793
Showing 1 changed file with 51 additions and 0 deletions.
51 changes: 51 additions & 0 deletions SECURITY.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# smtprelay Security Policy

This document outlines security procedures and general policies for the
smtprelay project.

## Supported Versions

The latest release is the only supported release.


## Disclosing a security issue

The smtprelay maintainers take all security issues in the project seriously.
Thank you for improving the security of the project! We appreciate your
dedication to responsible disclosure and will make every effort to acknowledge
your contributions.

smtprelay leverages GitHub's private vulnerability reporting.

To learn more about this feature and how to submit a vulnerability report,
review [GitHub's documentation on private reporting](https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability).

Here are some helpful details to include in your report:

- a detailed description of the issue
- the steps required to reproduce the issue
- versions of the project that may be affected by the issue
- if known, any mitigations for the issue

A maintainer will acknowledge the report within three (3) business days, and
will send a more detailed response within an additional three (3) business days
indicating the next steps in handling your report.

After the initial reply to your report, the maintainers will endeavor to keep
you informed of the progress towards a fix and full announcement, and may ask
for additional information or guidance.

## Vulnerability management

When the maintainers receive a disclosure report, they will coordinate the
fix and release process, which involves the following steps:

- confirming the issue
- determining affected versions of the project
- auditing code to find any potential similar problems
- preparing fixes for all releases under maintenance

## Suggesting changes

If you have suggestions on how this process could be improved please submit an
issue or pull request.

0 comments on commit 687c793

Please sign in to comment.