From 5e7c599755f25708adc7fa956ed4bf4410c957e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E1=B4=8A=E1=B4=8F=E1=B4=87=20=E1=B4=84=CA=9C=E1=B4=87?= =?UTF-8?q?=C9=B4?= Date: Wed, 10 Dec 2025 20:22:12 -0500 Subject: [PATCH] chore: update security advisory reporting process [skip ci] --- SECURITY.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index c963025df..f66b66762 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -12,13 +12,15 @@ Existing vulnerability reports are being tracked in [GitHub Security Advisories] > Starting **Nov 9, 2023 00:00 UTC**, only security vulnerabilities reported through [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories/new) are accepted. > Pre-existing vulnerability reported through https://huntr.dev/ or email (`security@gogs.io`) will continue to be worked through. -1. Report an advisory for the vulnerability -1. Project maintainers review the advisory and either: +1. Report an advisory for the vulnerability. + - Please be aware that **only advisories reported in plain English** will be reviewed. +1. Project maintainers review the advisory: - Ask clarifying questions + - Make sure there was no prior advisory exists for the same vulnerability - Confirm or deny the vulnerability -1. Once the vulnerability is confirmed, the reporter may submit a patch or wait for project maintainers to patch. +1. Once the advisory is accepted, the reporter may submit a patch or wait for project maintainers to patch. - The latter is usually significantly slower. 1. Patch releases will be made for the supported versions. 1. After 14 days of the release, publish the corresponding advisory on [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories). -Thank you! +Thank you for making open source community a better place!