aboutsummaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2016-10-27 10:21:52 +0200
committerDaniel Stenberg <daniel@haxx.se>2016-10-27 10:21:52 +0200
commita65db0bbcbcafb6bb7fa58c606cd92199b3d5aa7 (patch)
tree115d14df8a731d5c8db99296de3c6ab598f5d24d /docs
parent50ef91b59ae4b0bad0956f6e0424878f5de366e3 (diff)
SECURITY: minor updates
- we allow the security push up to 48 hours before the release - add a mention about possible pre-notifications - lower case the 'curl-security' title
Diffstat (limited to 'docs')
-rw-r--r--docs/SECURITY.md20
1 files changed, 16 insertions, 4 deletions
diff --git a/docs/SECURITY.md b/docs/SECURITY.md
index 52b5c76e5..e61e33add 100644
--- a/docs/SECURITY.md
+++ b/docs/SECURITY.md
@@ -75,9 +75,11 @@ announcement.
to the 'distros' mailing list to allow them to use the fix prior to the
public announcement.
-- At the day of the next release, the private branch is merged into the master
- branch and pushed. Once pushed, the information is accessible to the public
- and the actual release should follow suit immediately afterwards.
+- No more than 48 hours before the release, the private branch is merged into
+ the master branch and pushed. Once pushed, the information is accessible to
+ the public and the actual release should follow suit immediately afterwards.
+ The time between the push and the release is used for final tests and
+ reviews.
- The project team creates a release that includes the fix.
@@ -88,9 +90,19 @@ announcement.
- The security web page on the web site should get the new vulnerability
mentioned.
+Pre-notification
+----------------
+If you think you are or should be eligible for a pre-notifcation about
+upcoming security announcements for curl, we urge OS distros and similar
+vendors to primarily join the distros@openwall list as that is one of the
+purposes of that list - and not just for curl of course.
-CURL-SECURITY (at haxx dot se)
+If you are not a distro or otherwise not suitable for distros@openwall and yet
+want pre-notifications from us, contact the curl security team with a detailed
+and clear explanation why this is the case.
+
+curl-security (at haxx dot se)
------------------------------
Who is on this list? There are a couple of criteria you must meet, and then we