This file describes how security issues are reported and handled, and what the expectations are for security issues reported to this project.

With responsible disclosure, a security issue (and its fix) is disclosed only after a mutually-agreed period of time (the "embargo date"). The issue and fix are shared amongst and reviewed by the key stakeholders (Linux distributions, OS vendors, etc.) and the CERT/CC. Fixes are released to the public on the agreed-upon date.

Responsible disclosure applies only to production releases. A security vulnerability that only affects unreleased code can be fixed immediately without coordination. Vendors should not package and release unstable snapshots, beta releases, or release candidates of this software.

All production releases of this software are subject to this security policy. A production release is tagged and given a semantic version number of the form:

MAJOR.MINOR.PATCH

where "MAJOR" is an integer starting at 1 and "MINOR" and "PATCH" are integers starting at 0. A feature release has a "PATCH" value of 0, for example:

1.0.0
1.1.0
2.0.0

Beta releases and release candidates are not prodution releases and use semantic version numbers of the form:

MAJOR.MINORbNUMBER
MAJOR.MINORrcNUMBER

where "MAJOR" and "MINOR" identify the new feature release version number and "NUMBER" identifies a beta or release candidate number starting at 1, for example:

1.0b1
1.0b2
1.0rc1

Github supports private security advisories and OpenPrinting CUPS enabled their usage, report all security issue via them. Reporters can file a security advisory by clicking on New issue at tab Issues and choose Report a vulnerability. Provide details, impact, reproducer, affected versions, workarounds and patch for the vulnerability if there are any and estimate severity when creating the advisory. Expect a response within 5 business days. Once OpenPrinting group agree on the patch and announce it on [email protected], there is embargo period 7-10 days long.