rustls/SECURITY.md

# Security Policy

## Supported Versions

Security fixes will be backported only to the rustls versions for which the
original semver-compatible release was published less than 2 years ago.

For example, as of 2023-06-13 the latest release is 0.21.1.

* 0.21.0 was released in March of 2023
* 0.20.0 was released in September of 2021
* 0.19.0 was released in November of 2020

Therefore 0.20.x and 0.21.x will be updated, while 0.19.x will not be.

## Reporting a Vulnerability

Please report security bugs [via github](https://github.com/rustls/rustls/security/advisories/new).
We'll then:

- Prepare a fix and regression tests.
- Backport the fix and make a patch release for most recent release.
- Submit an advisory to [rustsec/advisory-db](https://github.com/RustSec/advisory-db).
- Refer to the advisory on the main README.md and release notes.

If you're *looking* for security bugs, this crate is set up for
`cargo fuzz` but would benefit from more runtime, targets and corpora.
Add SECURITY.md This restates the vuln reporting policy in CONTRIBUTING.md 2020-07-18 17:26:41 +00:00			`# Security Policy`

			`## Supported Versions`

Limit scope of security support based on time 2023-06-13 07:45:37 +00:00			`Security fixes will be backported only to the rustls versions for which the`
			`original semver-compatible release was published less than 2 years ago.`

			`For example, as of 2023-06-13 the latest release is 0.21.1.`

			`* 0.21.0 was released in March of 2023`
			`* 0.20.0 was released in September of 2021`
			`* 0.19.0 was released in November of 2020`

			`Therefore 0.20.x and 0.21.x will be updated, while 0.19.x will not be.`
Add SECURITY.md This restates the vuln reporting policy in CONTRIBUTING.md 2020-07-18 17:26:41 +00:00
			`## Reporting a Vulnerability`

SECURITY.md: use github vuln reporting tool We have a mailing list for this. But, the first time that was used for real, it didn't go very well: - the report and a follow-up went into spam. A private google group delivering to gmail -- you'd think this would work well, but it did not. - there was only me in the group. Github now has a "private vulnerability reporting" feature that should be better for getting reports to the right people quickly. Let's try that? 2023-08-22 16:57:08 +00:00			`Please report security bugs [via github](https://github.com/rustls/rustls/security/advisories/new).`
Adopt the Rust CoC; use mailing list for vuln reports 2021-08-08 10:12:16 +00:00			`We'll then:`
Add SECURITY.md This restates the vuln reporting policy in CONTRIBUTING.md 2020-07-18 17:26:41 +00:00
			`- Prepare a fix and regression tests.`
			`- Backport the fix and make a patch release for most recent release.`
			`- Submit an advisory to [rustsec/advisory-db](https://github.com/RustSec/advisory-db).`
			`- Refer to the advisory on the main README.md and release notes.`

			`If you're looking for security bugs, this crate is set up for`
			`cargo fuzz` but would benefit from more runtime, targets and corpora.