|
1 | | -# Reporting security issues |
| 1 | +# Security Policy |
2 | 2 |
|
3 | | -The project maintainers take security seriously. If you discover a security |
4 | | -issue, please bring it to their attention right away! |
| 3 | +The maintainers of Docker Buildx take security seriously. If you discover |
| 4 | +a security issue, please bring it to their attention right away! |
5 | 5 |
|
6 | | -**Please _DO NOT_ file a public issue**, instead send your report privately to |
7 | | - |
| 6 | +## Reporting a Vulnerability |
8 | 7 |
|
9 | | -Security reports are greatly appreciated, and we will publicly thank you for it. |
10 | | -We also like to send gifts—if you're into schwag, make sure to let |
11 | | -us know. We currently do not offer a paid security bounty program, but are not |
12 | | -ruling it out in the future. |
| 8 | +Please **DO NOT** file a public issue, instead send your report privately |
| 9 | + |
| 10 | + |
| 11 | +Reporter(s) can expect a response within 72 hours, acknowledging the issue was |
| 12 | +received. |
| 13 | + |
| 14 | +## Review Process |
| 15 | + |
| 16 | +After receiving the report, an initial triage and technical analysis is |
| 17 | +performed to confirm the report and determine its scope. We may request |
| 18 | +additional information in this stage of the process. |
| 19 | + |
| 20 | +Once a reviewer has confirmed the relevance of the report, a draft security |
| 21 | +advisory will be created on GitHub. The draft advisory will be used to discuss |
| 22 | +the issue with maintainers, the reporter(s), and where applicable, other |
| 23 | +affected parties under embargo. |
| 24 | + |
| 25 | +If the vulnerability is accepted, a timeline for developing a patch, public |
| 26 | +disclosure, and patch release will be determined. If there is an embargo period |
| 27 | +on public disclosure before the patch release, the reporter(s) are expected to |
| 28 | +participate in the discussion of the timeline and abide by agreed upon dates |
| 29 | +for public disclosure. |
| 30 | + |
| 31 | +## Accreditation |
| 32 | + |
| 33 | +Security reports are greatly appreciated and we will publicly thank you, |
| 34 | +although we will keep your name confidential if you request it. We also like to |
| 35 | +send gifts - if you're into swag, make sure to let us know. We do not currently |
| 36 | +offer a paid security bounty program at this time. |
| 37 | + |
| 38 | +## Supported Versions |
| 39 | + |
| 40 | +Once a new feature release is cut, support for the previous feature release is |
| 41 | +discontinued. An exception may be made for urgent security releases that occur |
| 42 | +shortly after a new feature release. Buildx does not offer LTS (Long-Term Support) |
| 43 | +releases. Refer to the [Support Policy](https://github.com/docker/buildx/blob/master/PROJECT.md#support-policy) |
| 44 | +for further details. |
0 commit comments