On GitHub, SECURITY.md files are the recommended way to describe how to report vulnerabilities, and to set expectations how far back maintenance tracks are updated with security bug fixes. For example, when navigating to https://github.com/git/git/security/ users would be guided to that SECURITY.md file. If it exists. The purpose of this patch series is to add this file, describing Git's security policy. While at it, I also want to document the process how to coordinate the ensuing embargoed releases. This is what the second patch is all about. The reason for that is quite selfish, as I did two of them, and while I am happy that such embargoed releases do not happen all that often, the downside is that I keep forgetting all the details. So this document is not only meant for knowledge sharing, but in particular to help me the next time(s) I coordinate an embargoed release. Many thanks to Junio who reviewed the first draft of this patch series (where I had not yet separated out Documentation/howto/coordinate-embargoed-releases.txt). Changes since v1: * Fixed typo Johannes Schindelin (2): SECURITY: describe how to report vulnerabilities Document how we do embargoed releases Documentation/Makefile | 1 + .../howto/coordinate-embargoed-releases.txt | 131 ++++++++++++++++++ SECURITY.md | 51 +++++++ 3 files changed, 183 insertions(+) create mode 100644 Documentation/howto/coordinate-embargoed-releases.txt create mode 100644 SECURITY.md base-commit: e6362826a0409539642a5738db61827e5978e2e4 Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-917%2Fdscho%2Fsecurity-policy-v2 Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-917/dscho/security-policy-v2 Pull-Request: https://github.com/gitgitgadget/git/pull/917 Range-diff vs v1: 1: 2c9f5725d96f ! 1: 3f5d866de195 SECURITY: describe how to report vulnerabilities @@ SECURITY.md (new) +- Ideally a short description (or a script) to demonstrate an + exploit. +- The affected platforms and scenarios (the vulnerability might -+ only affect setups with case-sensitiv file systems, for ++ only affect setups with case-sensitive file systems, for + example). +- The name and affiliation of the security researchers who are + involved in the discovery, if any. 2: 41efaaf62864 = 2: 565d7982d870 Document how we do embargoed releases -- gitgitgadget
