SECURITY.md at reftables-rust · freshlybakedca.ke/git

freshlybakedca.ke / git

fork atom

Git fork

fork atom

git / SECURITY.md

at reftables-rust 51 lines 2.0 kB view raw view rendered

wrap content

Johannes Schindelin SECURITY: describe how to report vulnerabilities 5y ago

2e99b1e3

 1# Security Policy
 2
 3## Reporting a vulnerability
 4
 5Please send a detailed mail to git-security@googlegroups.com to
 6report vulnerabilities in Git.
 7
 8Even when unsure whether the bug in question is an exploitable
 9vulnerability, it is recommended to send the report to
10git-security@googlegroups.com (and obviously not to discuss the
11issue anywhere else).
12
13Vulnerabilities are expected to be discussed _only_ on that
14list, and not in public, until the official announcement on the
15Git mailing list on the release date.
16
17Examples for details to include:
18
19- Ideally a short description (or a script) to demonstrate an
20  exploit.
21- The affected platforms and scenarios (the vulnerability might
22  only affect setups with case-sensitive file systems, for
23  example).
24- The name and affiliation of the security researchers who are
25  involved in the discovery, if any.
26- Whether the vulnerability has already been disclosed.
27- How long an embargo would be required to be safe.
28
29## Supported Versions
30
31There are no official "Long Term Support" versions in Git.
32Instead, the maintenance track (i.e. the versions based on the
33most recently published feature release, also known as ".0"
34version) sees occasional updates with bug fixes.
35
36Fixes to vulnerabilities are made for the maintenance track for
37the latest feature release and merged up to the in-development
38branches. The Git project makes no formal guarantee for any
39older maintenance tracks to receive updates. In practice,
40though, critical vulnerability fixes are applied not only to the
41most recent track, but to at least a couple more maintenance
42tracks.
43
44This is typically done by making the fix on the oldest and still
45relevant maintenance track, and merging it upwards to newer and
46newer maintenance tracks.
47
48For example, v2.24.1 was released to address a couple of
49[CVEs](https://cve.mitre.org/), and at the same time v2.14.6,
50v2.15.4, v2.16.6, v2.17.3, v2.18.2, v2.19.3, v2.20.2, v2.21.1,
51v2.22.2 and v2.23.1 were released.