diff options
author | Daniel Stenberg <daniel@haxx.se> | 2016-10-27 10:21:52 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2016-10-27 10:21:52 +0200 |
commit | a65db0bbcbcafb6bb7fa58c606cd92199b3d5aa7 (patch) | |
tree | 115d14df8a731d5c8db99296de3c6ab598f5d24d | |
parent | 50ef91b59ae4b0bad0956f6e0424878f5de366e3 (diff) |
SECURITY: minor updates
- we allow the security push up to 48 hours before the release
- add a mention about possible pre-notifications
- lower case the 'curl-security' title
-rw-r--r-- | docs/SECURITY.md | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/docs/SECURITY.md b/docs/SECURITY.md index 52b5c76e5..e61e33add 100644 --- a/docs/SECURITY.md +++ b/docs/SECURITY.md @@ -75,9 +75,11 @@ announcement. to the 'distros' mailing list to allow them to use the fix prior to the public announcement. -- At the day of the next release, the private branch is merged into the master - branch and pushed. Once pushed, the information is accessible to the public - and the actual release should follow suit immediately afterwards. +- No more than 48 hours before the release, the private branch is merged into + the master branch and pushed. Once pushed, the information is accessible to + the public and the actual release should follow suit immediately afterwards. + The time between the push and the release is used for final tests and + reviews. - The project team creates a release that includes the fix. @@ -88,9 +90,19 @@ announcement. - The security web page on the web site should get the new vulnerability mentioned. +Pre-notification +---------------- +If you think you are or should be eligible for a pre-notifcation about +upcoming security announcements for curl, we urge OS distros and similar +vendors to primarily join the distros@openwall list as that is one of the +purposes of that list - and not just for curl of course. -CURL-SECURITY (at haxx dot se) +If you are not a distro or otherwise not suitable for distros@openwall and yet +want pre-notifications from us, contact the curl security team with a detailed +and clear explanation why this is the case. + +curl-security (at haxx dot se) ------------------------------ Who is on this list? There are a couple of criteria you must meet, and then we |