Add SECURITY.md
given the catastrophic way TALOS Intelligence "communicated" with upstream (i.e. by probably sending a single mail to an unused email address), it's probably best to explicitly document how to approach upstream when a security issue is discovered.
This commit is contained in:
parent
12a8484265
commit
e69788b761
28
SECURITY.md
Normal file
28
SECURITY.md
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
# Security Policy
|
||||||
|
|
||||||
|
## Supported Versions
|
||||||
|
|
||||||
|
| Version | Supported |
|
||||||
|
| --------- | ------------------ |
|
||||||
|
| 1.11.x | :white_check_mark: |
|
||||||
|
| <= 1.10.x | :x: |
|
||||||
|
|
||||||
|
## Reporting a Vulnerability
|
||||||
|
|
||||||
|
Open a public issue on github. The issue will most likely be fixed
|
||||||
|
within a day, unless all maintainers happen to just be taking a
|
||||||
|
vacation at the same time, which is unlikely.
|
||||||
|
|
||||||
|
Even then, having the bug publicly known will allow competent people
|
||||||
|
to come up with custom patches for distros, most likely quicker
|
||||||
|
than black hats can craft a remote execution exploit.
|
||||||
|
|
||||||
|
If you really really do not want to make the issue public, come
|
||||||
|
to the tinyproxy IRC channel and ask for a maintainer, which you
|
||||||
|
can then contact via private messages.
|
||||||
|
|
||||||
|
Do not, however, like ["TALOS Intelligence"](https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889)
|
||||||
|
pull a random email address out of git log, then send an email
|
||||||
|
nobody reads or responds to, and wait for 6 months for publication.
|
||||||
|
this only gives black hats plenty time to sell, use and circulate
|
||||||
|
zero days and get the best possible ROI.
|
Loading…
Reference in New Issue
Block a user