support-embedded-postgres-cli/SECURITY.md

# Security policy

## Supported versions

Only the latest minor version releases are supported (e.g., 0.14) for patching vulnerabilities. You can find the latest minor version in the [GitHub releases](https://github.com/gogs/gogs/releases) page. 

Existing vulnerability reports are being tracked in [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories). Not all accepted GHSA are published.

## Vulnerability lifecycle

> [!important]
> Starting **Nov 9, 2023 00:00 UTC**, only security vulnerabilities reported through [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories/new) are accepted.
> Pre-existing vulnerability reported through https://huntr.dev/ or email (`security@gogs.io`) will continue to be worked through.

1. Report an advisory for the vulnerability.
    - Please be aware that **only advisories reported in plain English** will be reviewed.
    - We DO NOT accept vulnerabilities cannot be reproduced on the latest `main` commit.
1. Project maintainers review the advisory:
    - Ask clarifying questions
    - Make sure there was no prior advisory exists for the same vulnerability
    - Confirm or deny the vulnerability
1. Once the advisory is accepted, the reporter may submit a patch or wait for project maintainers to patch.
    - The latter is usually significantly slower.
1. Patch releases will be made for the supported versions.
1. After 14 days of the release, publish the corresponding advisory on [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories).

Thank you for making open source community a better place!
Add security policy 2020-05-02 17:15:55 +08:00			`# Security policy`

			`## Supported versions`

Update security policy for version support and advisories [skip ci] 2026-02-01 08:16:22 -05:00			`Only the latest minor version releases are supported (e.g., 0.14) for patching vulnerabilities. You can find the latest minor version in the [GitHub releases](https://github.com/gogs/gogs/releases) page.`
Add security policy 2020-05-02 17:15:55 +08:00
Update security policy for version support and advisories [skip ci] 2026-02-01 08:16:22 -05:00			`Existing vulnerability reports are being tracked in [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories). Not all accepted GHSA are published.`
Add security policy 2020-05-02 17:15:55 +08:00
SECURITY: clarify vulnerability lifecycle (#6828) [skip ci] 2022-03-11 14:25:09 +08:00			`## Vulnerability lifecycle`
security: encourage reporting vulnerabilities through huntr.dev (#6811) [skip ci] 2022-03-06 20:13:56 +08:00
chore: update security policy [skip ci] 2023-11-09 22:10:42 -05:00			`> [!important]`
			`> Starting Nov 9, 2023 00:00 UTC, only security vulnerabilities reported through [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories/new) are accepted.`
			> Pre-existing vulnerability reported through https://huntr.dev/ or email (`security@gogs.io`) will continue to be worked through.

chore: update security advisory reporting process [skip ci] 2025-12-10 20:22:12 -05:00			`1. Report an advisory for the vulnerability.`
			`- Please be aware that only advisories reported in plain English will be reviewed.`
chore: update vulnerability reporting guidelines [skip ci] 2026-01-31 12:01:23 -05:00			- We DO NOT accept vulnerabilities cannot be reproduced on the latest `main` commit.
chore: update security advisory reporting process [skip ci] 2025-12-10 20:22:12 -05:00			`1. Project maintainers review the advisory:`
SECURITY: clarify vulnerability lifecycle (#6828) [skip ci] 2022-03-11 14:25:09 +08:00			`- Ask clarifying questions`
chore: update security advisory reporting process [skip ci] 2025-12-10 20:22:12 -05:00			`- Make sure there was no prior advisory exists for the same vulnerability`
SECURITY: clarify vulnerability lifecycle (#6828) [skip ci] 2022-03-11 14:25:09 +08:00			`- Confirm or deny the vulnerability`
chore: update security advisory reporting process [skip ci] 2025-12-10 20:22:12 -05:00			`1. Once the advisory is accepted, the reporter may submit a patch or wait for project maintainers to patch.`
SECURITY: clarify vulnerability lifecycle (#6828) [skip ci] 2022-03-11 14:25:09 +08:00			`- The latter is usually significantly slower.`
			`1. Patch releases will be made for the supported versions.`
chore: update security policy 2024-12-10 22:23:01 -05:00			`1. After 14 days of the release, publish the corresponding advisory on [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories).`
security: encourage reporting vulnerabilities through huntr.dev (#6811) [skip ci] 2022-03-06 20:13:56 +08:00
chore: update security advisory reporting process [skip ci] 2025-12-10 20:22:12 -05:00			`Thank you for making open source community a better place!`