Nemcio/Gogs
1
0
Fork 0
mirror of https://github.com/gogs/gogs.git synced 2025-12-15 20:59:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

chore: update security advisory reporting process

Browse Source 
[skip ci]
This commit is contained in:
ᴊᴏᴇ ᴄʜᴇɴ
2025-12-10 20:22:12 -05:00
committed by GitHub
parent 2c88cd4d9f
commit 5e7c599755
1 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
SECURITY.md
View File

@@ -12,13 +12,15 @@ Existing vulnerability reports are being tracked in [GitHub Security Advisories]
> Starting **Nov 9, 2023 00:00 UTC**, only security vulnerabilities reported through [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories/new) are accepted. > Starting **Nov 9, 2023 00:00 UTC**, only security vulnerabilities reported through [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories/new) are accepted.
> Pre-existing vulnerability reported through https://huntr.dev/ or email (`security@gogs.io`) will continue to be worked through. > Pre-existing vulnerability reported through https://huntr.dev/ or email (`security@gogs.io`) will continue to be worked through.
1. Report an advisory for the vulnerability 1. Report an advisory for the vulnerability.
1. Project maintainers review the advisory and either: - Please be aware that **only advisories reported in plain English** will be reviewed.
1. Project maintainers review the advisory:
- Ask clarifying questions - Ask clarifying questions
- Make sure there was no prior advisory exists for the same vulnerability
- Confirm or deny the vulnerability - Confirm or deny the vulnerability
1. Once the vulnerability is confirmed, the reporter may submit a patch or wait for project maintainers to patch. 1. Once the advisory is accepted, the reporter may submit a patch or wait for project maintainers to patch.
- The latter is usually significantly slower. - The latter is usually significantly slower.
1. Patch releases will be made for the supported versions. 1. Patch releases will be made for the supported versions.
1. After 14 days of the release, publish the corresponding advisory on [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories). 1. After 14 days of the release, publish the corresponding advisory on [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories).
Thank you! Thank you for making open source community a better place!