From 1e4b002b9d1de49f6d55082b110f20a1710de973 Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht Date: Mon, 4 Sep 2023 15:53:41 +0000 Subject: [PATCH] Move vulnerability disclosure instructions to SECURITY.md Signed-off-by: Pedro Kaj Kjellerup Nacht --- CONTRIBUTING.md | 3 --- SECURITY.md | 17 +++++++++++++++++ 2 files changed, 17 insertions(+), 3 deletions(-) create mode 100644 SECURITY.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 250398f8a..2c4fd99d5 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -16,9 +16,6 @@ Issues keeping the issues properly organized and searchable (by OS, issue type, etc.). * When reporting a malfunction, consider enabling [debug mode](https://psutil.readthedocs.io/en/latest/#debug-mode) first. -* To report a **security vulnerability**, use the - [Tidelift security contact](https://tidelift.com/security). - Tidelift will coordinate the fix and the disclosure of the reported problem. Pull Requests ------------- diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..3ace82d94 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,17 @@ +# Security Policy + +If you have discovered a security vulnerability in this project, please report it +privately. **Do not disclose it as a public issue.** This gives me time to work with you +to fix the issue before public exposure, reducing the chance that the exploit will be +used before a patch is released. + +To report a security vulnerability, use the [Tidelift security contact](https://tidelift.com/security). +Tidelift will coordinate the fix and the disclosure of the reported problem. + +Please provide the following information in your report: + +- A description of the vulnerability and its impact +- How to reproduce the issue + +This project is maintained by a single maintainer on a reasonable-effort basis. As such, +I ask that you give me 90 days to work on a fix before public exposure.