mirror of
https://github.com/gogs/gogs.git
synced 2026-02-07 15:09:21 +01:00
28 lines
1.6 KiB
Markdown
28 lines
1.6 KiB
Markdown
# Security policy
|
|
|
|
## Supported versions
|
|
|
|
Only the latest minor version releases are supported (e.g., 0.14) for patching vulnerabilities. You can find the latest minor version in the [GitHub releases](https://github.com/gogs/gogs/releases) page.
|
|
|
|
Existing vulnerability reports are being tracked in [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories). Not all accepted GHSA are published.
|
|
|
|
## Vulnerability lifecycle
|
|
|
|
> [!important]
|
|
> Starting **Nov 9, 2023 00:00 UTC**, only security vulnerabilities reported through [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories/new) are accepted.
|
|
> Pre-existing vulnerability reported through https://huntr.dev/ or email (`security@gogs.io`) will continue to be worked through.
|
|
|
|
1. Report an advisory for the vulnerability.
|
|
- Please be aware that **only advisories reported in plain English** will be reviewed.
|
|
- We DO NOT accept vulnerabilities cannot be reproduced on the latest `main` commit.
|
|
1. Project maintainers review the advisory:
|
|
- Ask clarifying questions
|
|
- Make sure there was no prior advisory exists for the same vulnerability
|
|
- Confirm or deny the vulnerability
|
|
1. Once the advisory is accepted, the reporter may submit a patch or wait for project maintainers to patch.
|
|
- The latter is usually significantly slower.
|
|
1. Patch releases will be made for the supported versions.
|
|
1. After 14 days of the release, publish the corresponding advisory on [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories).
|
|
|
|
Thank you for making open source community a better place!
|