security: change SECURITY.md to recommend GitHub's private reporting (#39651 )

GitHub's beta private security issue reporting feature is enabled on the Spack repo now,
so we can change `SECURITY.md` to recommend using it instead of `maintainers@spack.io`.

- [x] Update `SECURITY.md` to direct people to the GitHub security tab.
- [x] Update working in `SECURITY.md` to say "last two major releases" with a link to
      the releases page, instead of explicitly listing release names. This way we don't have
      to update it (which we keep forgetting to do).

2023-08-28 18:06:17 +00:00

1.1 KiB

Raw Blame History

Security Policy

Supported Versions

We provide security updates for develop and for the last two stable (0.x) release series of Spack. Security updates will be made available as patch (0.x.1, 0.x.2, etc.) releases.

For more on Spack's release structure, see README.md.

Reporting a Vulnerability

You can report a vulnerability using GitHub's private reporting feature:

Go to github.com/spack/spack/security.
Click "Report a vulnerability" in the upper right corner of that page.
Fill out the form and submit your draft security advisory.

More details are available in GitHub's docs.

You can expect to hear back about security issues within two days. If your security issue is accepted, we will do our best to release a fix within a week. If fixing the issue will take longer than this, we will discuss timeline options with you.

1.1 KiB Raw Blame History

Security Policy

Supported Versions

Reporting a Vulnerability

1.1 KiB

Raw Blame History