spack/SECURITY.md

# Security Policy

## Supported Versions

We provide security updates for `develop` and for the last two
stable (`0.x`) release series of Spack. Security updates will be
made available as patch (`0.x.1`, `0.x.2`, etc.) releases.

For more on Spack's release structure, see
[`README.md`](https://github.com/spack/spack#releases).

## Reporting a Vulnerability

You can report a vulnerability using GitHub's private reporting
feature:

1. Go to [github.com/spack/spack/security](https://github.com/spack/spack/security).
2. Click "Report a vulnerability" in the upper right corner of that page.
3. Fill out the form and submit your draft security advisory.

More details are available in
[GitHub's docs](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability).

You can expect to hear back about security issues within two days.
If your security issue is accepted, we will do our best to release
a fix within a week. If fixing the issue will take longer than
this, we will discuss timeline options with you.
Create SECURITY.md 2021-09-19 06:43:14 -07:00			`# Security Policy`

			`## Supported Versions`

security: change `SECURITY.md` to recommend GitHub's private reporting (#39651) GitHub's beta private security issue reporting feature is enabled on the Spack repo now, so we can change `SECURITY.md` to recommend using it instead of `maintainers@spack.io`. - [x] Update `SECURITY.md` to direct people to the GitHub security tab. - [x] Update working in `SECURITY.md` to say "last two major releases" with a link to the releases page, instead of explicitly listing release names. This way we don't have to update it (which we keep forgetting to do). 2023-08-28 11:06:17 -07:00			We provide security updates for `develop` and for the last two
			stable (`0.x`) release series of Spack. Security updates will be
			made available as patch (`0.x.1`, `0.x.2`, etc.) releases.

Create SECURITY.md 2021-09-19 06:43:14 -07:00			`For more on Spack's release structure, see`
			[`README.md`](https://github.com/spack/spack#releases).

security: change `SECURITY.md` to recommend GitHub's private reporting (#39651) GitHub's beta private security issue reporting feature is enabled on the Spack repo now, so we can change `SECURITY.md` to recommend using it instead of `maintainers@spack.io`. - [x] Update `SECURITY.md` to direct people to the GitHub security tab. - [x] Update working in `SECURITY.md` to say "last two major releases" with a link to the releases page, instead of explicitly listing release names. This way we don't have to update it (which we keep forgetting to do). 2023-08-28 11:06:17 -07:00			`## Reporting a Vulnerability`
Create SECURITY.md 2021-09-19 06:43:14 -07:00
security: change `SECURITY.md` to recommend GitHub's private reporting (#39651) GitHub's beta private security issue reporting feature is enabled on the Spack repo now, so we can change `SECURITY.md` to recommend using it instead of `maintainers@spack.io`. - [x] Update `SECURITY.md` to direct people to the GitHub security tab. - [x] Update working in `SECURITY.md` to say "last two major releases" with a link to the releases page, instead of explicitly listing release names. This way we don't have to update it (which we keep forgetting to do). 2023-08-28 11:06:17 -07:00			`You can report a vulnerability using GitHub's private reporting`
			`feature:`
Create SECURITY.md 2021-09-19 06:43:14 -07:00
security: change `SECURITY.md` to recommend GitHub's private reporting (#39651) GitHub's beta private security issue reporting feature is enabled on the Spack repo now, so we can change `SECURITY.md` to recommend using it instead of `maintainers@spack.io`. - [x] Update `SECURITY.md` to direct people to the GitHub security tab. - [x] Update working in `SECURITY.md` to say "last two major releases" with a link to the releases page, instead of explicitly listing release names. This way we don't have to update it (which we keep forgetting to do). 2023-08-28 11:06:17 -07:00			`1. Go to [github.com/spack/spack/security](https://github.com/spack/spack/security).`
			`2. Click "Report a vulnerability" in the upper right corner of that page.`
			`3. Fill out the form and submit your draft security advisory.`
Create SECURITY.md 2021-09-19 06:43:14 -07:00
security: change `SECURITY.md` to recommend GitHub's private reporting (#39651) GitHub's beta private security issue reporting feature is enabled on the Spack repo now, so we can change `SECURITY.md` to recommend using it instead of `maintainers@spack.io`. - [x] Update `SECURITY.md` to direct people to the GitHub security tab. - [x] Update working in `SECURITY.md` to say "last two major releases" with a link to the releases page, instead of explicitly listing release names. This way we don't have to update it (which we keep forgetting to do). 2023-08-28 11:06:17 -07:00			`More details are available in`
			`[GitHub's docs](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability).`
Create SECURITY.md 2021-09-19 06:43:14 -07:00
security: change `SECURITY.md` to recommend GitHub's private reporting (#39651) GitHub's beta private security issue reporting feature is enabled on the Spack repo now, so we can change `SECURITY.md` to recommend using it instead of `maintainers@spack.io`. - [x] Update `SECURITY.md` to direct people to the GitHub security tab. - [x] Update working in `SECURITY.md` to say "last two major releases" with a link to the releases page, instead of explicitly listing release names. This way we don't have to update it (which we keep forgetting to do). 2023-08-28 11:06:17 -07:00			`You can expect to hear back about security issues within two days.`
			`If your security issue is accepted, we will do our best to release`
			`a fix within a week. If fixing the issue will take longer than`
			`this, we will discuss timeline options with you.`