This document describes what to do in case of a security issue with
Your report will be acknowledged within 2 business days. Any information shared with the security team stays will not be shared with other parties except as required to get the issue fixed or to coordinate a vendor response. As a security issue moves through our process, during which the reporter will be kept up-to-date.
Our goal is to disclose bugs as soon as possible once a user mitigation is available. We will set a disclosure date once the bug is well-understood (in consultation with the bug reporter and the relevant project maintainers).
Here are the steps:
- The person discovering an issue (the reporter) privately reports it to firstname.lastname@example.org.
- The security team will reply to the reporter within two business days to acknowledge receipt.
- The security team will investigate the report.
- If the report is rejected, the process will stop. If accepted, the process continues.
- The security team will obtain a CVE number for the vulnerability.
- A fix and an announcement will be prepared.
- The fix and announcement will be shared with the reporter for verification.
- A release plan will be made in accordance with the reporter.
- A release will be published.
- The vulnerability will be announced.