libmicrohttpd2

HTTP server C library (MHD 2.x, alpha)
Log | Files | Refs | README | LICENSE

SECURITY.md (2219B)

      1 # Security policy for GNU libmicrohttpd
      2 
      3  * [Supported Versions](#Supported-Versions)
      4  * [Reporting a Vulnerability](#Reporting-a-Vulnerability)
      5  * [Security Announcements](#Security-Announcements)
      6  * [Acknowledgements](#Acknowledgements)
      7 
      8 ## Supported Versions
      9 
     10 We support both the most recent stable release series (1.x) and
     11 the current development release series (2.x).
     12 
     13 ## Signed Releases
     14 
     15 All commits and releases (the files on ftp.gnu.org) are signed by a
     16 maintainer.  Each maintainer uses their personal GPG key known to and
     17 verified by the GNU project.
     18 
     19 ## Reporting a Vulnerability
     20 
     21 If you think you've identified a security issue in GNU libmicrohttpd, please
     22 **do not** report the issue publicly via a mailing list, IRC, a public issue on
     23 the GitLab issue tracker, a merge request, or any other public venue.
     24 
     25 Instead, report a [*confidential* ("private") issue in the Mantis
     26 issue tracker](https://bugs.gnunet.org/set_project.php?project_id=10)]
     27 with the “private” box checked. Please include as many details as
     28 possible, including ideally a minimal reproducible example of the
     29 issue, and an idea of how exploitable/severe you think it is.
     30 
     31 Private issues are only visible to the reporter and the core developer
     32 team.
     33 
     34 The next steps are then:
     35  * The report is triaged.
     36  * Code is audited to find any potential similar problems.
     37  * The fix is prepared for the development branch, and for the most recent
     38    stable branch.
     39  * The fix is submitted to the public repository and a new release
     40    containing the fix is issued.
     41  * On the day the issue and fix are made public, an announcement is made on the
     42    [public channels listed below](#Security-Announcements).
     43 
     44 As per the [GNU security processes](https://www.gnu.org/software/security/)
     45 you may escalate the report with the GNU project if -- for any reason -- the
     46 GNU libmicrohttpd maintainers are unable to respond in a timely fashion.
     47 
     48 
     49 ## Security Announcements
     50 
     51 Security announcements are made publicly via the
     52 [GNU libmicrohttpd mailinglist](https://lists.gnu.org/mailman/listinfo/libmicrohttpd).
     53 
     54 ## Acknowledgements
     55 
     56 This text was partially based on the
     57 [Gnome Glib security policy](https://gitlab.gnome.org/GNOME/glib/-/blob/main/SECURITY.md).