You can find more information on security incidents on the IdPy security webpage.
You read on the incident response policy under the governance documentation.
Anyone can submit a potential security vulnerability to incident-response@idpy.org
.
The incident-response team will verify the issue and contact you on how this will be
handled.
When a new vulnerability is reported and verified, a new security advisory is created on GitHub and the issue is assigned a CVE identifier. Progress on the mitigation is tracked on a private fork, where the incident-response team and developers communicate to fix the issue.
When the fix is ready, a release plan is prepared and all communication channels are used to notify the community of the presence of a new issue and the expected release plan. This allows the community time to prepare for a security upgrade. (Notice that security fixes are not backported at the moment.)
When the advisory is published, GitHub automatically notifies all associated projects of the published advisory. Projects that use IdPy projects as dependencies should automatically get Pull Requests by dependabot. Additionally, all communication channels are used again, to notify the community of the release of a new version of the affected software that contains the relevant fixes that mitigate the reported issue.
Notice, that security fixes are not backported at the moment to older releases than the latest. The team does not have the capacity to guarantee that these backports will exist. You are advised to be prepared to upgrade to the latest version once the fix is out.