From 5b05380c868621c8df80656f184f435e1ac29e19 Mon Sep 17 00:00:00 2001 From: Tony Meyer Date: Wed, 25 Sep 2024 17:55:03 +1200 Subject: [PATCH] Add a security policy document. --- SECURITY.md | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..a5c8e3bf --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,38 @@ +# Security policy + +## Supported versions + +Security updates will be released for all major versions that have had releases in the last year, +and for all versions of Pebble that are bundled with [Juju](https://github.com/juju/juju) +releases that [receive security updates](https://juju.is/docs/juju/roadmap). + +## Reporting a vulnerability + +Please provide a description of the issue, the steps you took to +create the issue, affected versions, and, if known, mitigations for +the issue. + +The easiest way to report a security issue is through +[GitHub's security advisory for this project](https://github.com/canonical/pebble/security/advisories/new). See +[Privately reporting a security +vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability) +for instructions on reporting using GitHub's security advisory feature. + +The Pebble GitHub admins will be notified of the issue and will work with you +to determine whether the issue qualifies as a security issue and, if so, in +which component. We will then figure out a fix, get a CVE +assigned, and coordinate the release of the fix. + +You may also send email to security@ubuntu.com. Email may optionally be +encrypted to OpenPGP key +[`4072 60F7 616E CE4D 9D12 4627 98E9 740D C345 39E0`](https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x407260f7616ece4d9d12462798e9740dc34539e0) + +If you have a deadline for public disclosure, please let us know. +Our vulnerability management team intends to respond within 3 working +days of your report. This project aims to resolve all vulnerabilities +within 90 days. + +The [Ubuntu Security disclosure and embargo +policy](https://ubuntu.com/security/disclosure-policy) contains more +information about what you can expect when you contact us, and what we +expect from you.