From: Guus Sliepen Date: Fri, 2 Jul 2021 14:55:43 +0000 (+0200) Subject: Add a SECURITY.md file describing our security policy. X-Git-Url: https://tinc-vpn.org/git/browse?a=commitdiff_plain;h=344c1b64d301a0b5ea511fcbc3b6800664904f74;p=tinc Add a SECURITY.md file describing our security policy. --- diff --git a/Makefile.am b/Makefile.am index b3b5a037..568d5483 100644 --- a/Makefile.am +++ b/Makefile.am @@ -6,7 +6,7 @@ SUBDIRS = src doc test systemd bash_completion.d ACLOCAL_AMFLAGS = -I m4 -EXTRA_DIST = COPYING.README README.android +EXTRA_DIST = COPYING.README README.android SECURITY.md @CODE_COVERAGE_RULES@ diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..f3a2dea3 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,29 @@ +# Security Policy + +## Reporting a Vulnerability + +If you have found a security vulnerability in tinc, please email +guus@tinc-vpn.org directly. You can encrypt the email using PGP if desired. We +will try to respond within 48 hours. If there is no response, try to contact us +via alternate means listed at https://www.tinc-vpn.org/contact/. + +## Disclosure Policy + +We greatly prefer to use the responsible disclosure model. After we have been +contacted about a potential vulnerability, we will do the following: + +- Confirm the problem and determine the affected versions. +- Register a CVE number. +- Prepare a fix for all affected versions of tinc. +- Coordinate a release of the fix with Linux and BSD distributions. +- Disclose the vulneratbility after the fix has been released and any agreed + upon embargo period has expired. + +## Supported Versions + +Currently we support the 1.0.x and 1.1.x branches of tinc. + +| Version | Supported | +| ------- | ---------- | +| 1.1.x | yes | +| 1.0.x | yes |