spack/SECURITY.md

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

28 lines
1.1 KiB
Markdown
Raw Permalink Normal View History

2021-09-19 13:43:14 +00:00
# Security Policy
## Supported Versions
We provide security updates for `develop` and for the last two
stable (`0.x`) release series of Spack. Security updates will be
made available as patch (`0.x.1`, `0.x.2`, etc.) releases.
2021-09-19 13:43:14 +00:00
For more on Spack's release structure, see
[`README.md`](https://github.com/spack/spack#releases).
## Reporting a Vulnerability
2021-09-19 13:43:14 +00:00
You can report a vulnerability using GitHub's private reporting
feature:
2021-09-19 13:43:14 +00:00
1. Go to [github.com/spack/spack/security](https://github.com/spack/spack/security).
2. Click "Report a vulnerability" in the upper right corner of that page.
3. Fill out the form and submit your draft security advisory.
2021-09-19 13:43:14 +00:00
More details are available in
[GitHub's docs](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability).
2021-09-19 13:43:14 +00:00
You can expect to hear back about security issues within two days.
If your security issue is accepted, we will do our best to release
a fix within a week. If fixing the issue will take longer than
this, we will discuss timeline options with you.