tinyproxy/SECURITY.md

# Security Policy

## Supported Versions

| Version   | Supported          |
| --------- | ------------------ |
| 1.11.x    | :white_check_mark: |
| <= 1.10.x | :x:                |

## Reporting a Vulnerability

Open a public issue on github. The issue will most likely be fixed
within a day, unless all maintainers happen to just be taking a
vacation at the same time, which is unlikely.

Even then, having the bug publicly known will allow competent people
to come up with custom patches for distros, most likely quicker
than black hats can craft a remote execution exploit.

If you really really do not want to make the issue public, come
to the tinyproxy IRC channel and ask for a maintainer, which you
can then contact via private messages.

Do not, however, like ["TALOS Intelligence"](https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889)
pull a random email address out of git log, then send an email
nobody reads or responds to, and wait for 6 months for publication.
this only gives black hats plenty time to sell, use and circulate
zero days and get the best possible ROI.
Add SECURITY.md given the catastrophic way TALOS Intelligence "communicated" with upstream (i.e. by probably sending a single mail to an unused email address), it's probably best to explicitly document how to approach upstream when a security issue is discovered. 2024-05-06 02:56:17 +08:00			`# Security Policy`

			`## Supported Versions`

			`\| Version \| Supported \|`
			`\| --------- \| ------------------ \|`
			`\| 1.11.x \| :white_check_mark: \|`
			`\| <= 1.10.x \| :x: \|`

			`## Reporting a Vulnerability`

			`Open a public issue on github. The issue will most likely be fixed`
			`within a day, unless all maintainers happen to just be taking a`
			`vacation at the same time, which is unlikely.`

			`Even then, having the bug publicly known will allow competent people`
			`to come up with custom patches for distros, most likely quicker`
			`than black hats can craft a remote execution exploit.`

			`If you really really do not want to make the issue public, come`
			`to the tinyproxy IRC channel and ask for a maintainer, which you`
			`can then contact via private messages.`

			`Do not, however, like ["TALOS Intelligence"](https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889)`
			`pull a random email address out of git log, then send an email`
			`nobody reads or responds to, and wait for 6 months for publication.`
			`this only gives black hats plenty time to sell, use and circulate`
			`zero days and get the best possible ROI.`