SECURITY.md

   1 # Security Policy
   2
   3 This documentation was last updated February 2022. The latest version can
   4 always be found at:
   5 https://github.com/atheme/atheme/blob/master/SECURITY.md
   6
   7 ## Supported Versions
   8
   9 Currently, the latest minor release will receive security and bugfix
  10 updates as new point releases. This is currently the 7.2 release series,
  11 with 7.2.12 being the currently supported stable release.
  12
  13 For the lifetime of the upcoming 7.3 release series, we are planning to keep
  14 supporting the 7.2 series with security updates as needed.
  15
  16 Older releases are not officially supported. We may provide updates for
  17 severe security vulnerabilities affecting them on a best-effort basis,
  18 however we cannot recommend relying on this and strongly urge users to
  19 update to an officially supported release instead.
  20
  21 If you are using Atheme as distributed by a third party (such as an OS
  22 package repository), they may have backported security fixes to an earlier
  23 release. In such a case, please consult your distributor's packaging
  24 policy for details.
  25
  26 ## Reporting a Vulnerability
  27
  28 Our security contacts are, in alphabetical order:
  29
  30 | GitHub username | Libera Chat account name |
  31 | --------------- | ------------------------ |
  32 | @aaronmdjones   | `amdj`                   |
  33 | @ilbelkyr       | `ilbelkyr`               |
  34
  35 If circumstances permit, you can contact us via IRC by sending us a private
  36 message on the Libera Chat IRC network. Please double-check you are actually
  37 talking to the right people; we are generally opped in the `#atheme` channel.
  38
  39 Otherwise, you may prefer to contact us via email at `security@atheme.org`
  40 instead. If you use PGP, please encrypt your mail for *all* of these keys:
  41
  42 - [`6645CCE551CB5AF25B5636B96E52BD84AF14021F`][pgp-ilbelkyr]
  43 - [`97D58E607188C8C986481CB76A2F898000519052`][pgp-amdj]
  44
  45 We will look into the issue as quickly as possible. To avoid us having to
  46 request further clarification, please try to include all relevant details,
  47 especially whether the vulnerability has already been disclosed to third
  48 parties.
  49
  50 ## Vulnerability Disclosure
  51
  52 We aim to ensure the security of Atheme installations and their users. To
  53 this end, we follow a coordinated disclosure model under which we provide
  54 administrators of major Atheme installations with advance notice of security
  55 vulnerabilities and their corresponding fixes before sharing the details
  56 with the general public. Where possible, we will also publish mitigation
  57 instructions before releasing the details. Outside extraordinary circumstances,
  58 we will release full details at most two weeks after learning about the
  59 vulnerability.
  60
  61 Security-related announcements will be found in our Git repository's
  62 `NEWS.md` file, as well as in the release notes for applicable releases.
  63
  64 [pgp-ilbelkyr]: https://keys.openpgp.org/vks/v1/by-fingerprint/6645CCE551CB5AF25B5636B96E52BD84AF14021F
  65 [pgp-amdj]: https://keys.openpgp.org/vks/v1/by-fingerprint/97D58E607188C8C986481CB76A2F898000519052