e69788b761
given the catastrophic way TALOS Intelligence "communicated" with upstream (i.e. by probably sending a single mail to an unused email address), it's probably best to explicitly document how to approach upstream when a security issue is discovered.
29 lines
1.1 KiB
Markdown
29 lines
1.1 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
| Version | Supported |
|
|
| --------- | ------------------ |
|
|
| 1.11.x | :white_check_mark: |
|
|
| <= 1.10.x | :x: |
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
Open a public issue on github. The issue will most likely be fixed
|
|
within a day, unless all maintainers happen to just be taking a
|
|
vacation at the same time, which is unlikely.
|
|
|
|
Even then, having the bug publicly known will allow competent people
|
|
to come up with custom patches for distros, most likely quicker
|
|
than black hats can craft a remote execution exploit.
|
|
|
|
If you really really do not want to make the issue public, come
|
|
to the tinyproxy IRC channel and ask for a maintainer, which you
|
|
can then contact via private messages.
|
|
|
|
Do not, however, like ["TALOS Intelligence"](https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889)
|
|
pull a random email address out of git log, then send an email
|
|
nobody reads or responds to, and wait for 6 months for publication.
|
|
this only gives black hats plenty time to sell, use and circulate
|
|
zero days and get the best possible ROI.
|