|
|
@@ -12,13 +12,13 @@ Existing vulnerability reports are being tracked in [GitHub Security Advisories]
|
|
|
> Starting **Nov 9, 2023 00:00 UTC**, only security vulnerabilities reported through [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories/new) are accepted.
|
|
|
> Pre-existing vulnerability reported through https://huntr.dev/ or email (`security@gogs.io`) will continue to be worked through.
|
|
|
|
|
|
-1. Report a vulnerability
|
|
|
-1. Project maintainers review the report and either:
|
|
|
+1. Report an advisory for the vulnerability
|
|
|
+1. Project maintainers review the advisory and either:
|
|
|
- Ask clarifying questions
|
|
|
- Confirm or deny the vulnerability
|
|
|
1. Once the vulnerability is confirmed, the reporter may submit a patch or wait for project maintainers to patch.
|
|
|
- The latter is usually significantly slower.
|
|
|
1. Patch releases will be made for the supported versions.
|
|
|
-1. Publish the report on [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories).
|
|
|
+1. After 14 days of the release, publish the corresponding advisory on [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories).
|
|
|
|
|
|
Thank you!
|
Joe Chen