We currently only support one major version of Janeway. The master development branch becomes the next major release of Janeway and receieves security support. Security issues that only affect the master branch and not any stable released versions can be reported as Bugs and are fixed in public. Security vulnerabilities that effect a support branch, listed below, should be reported using the details provided under Reporting a Vulnerability.
| Version | Supported |
|---|---|
| 1.3.x | ✔️ |
| <1.2.x | ❌ |
The full list of people and organizations who receive advance notification of security issues is not and will not be made public.
On a case by case basis we may notify individuals and organisations who collaborate in the development of Janeway.
If you detect a serious security vulnerability you should report it to us directly via email to [email protected]. Please provide where possible:
- a brief description of the vulnerability
- the website, page or repository where the vulnerability can be observed
- any other documentation that may assist in fixing the issue
We will follow this process:
| Activity | Days From Initial Report |
|---|---|
| Acknowledge Initial Report | 1 day |
| Provide Initial Assesment to Reporter | 5 days |
| Create and Test Fix | 14 days |
| Publish Security Advisory on Github | 21 days |
Some content adapted from [Django Security Policy]