From 74484ff6e0f1f810fc24d57ba51286c347b31cf3 Mon Sep 17 00:00:00 2001 From: Julian Valentin <19839841+valentjn@users.noreply.github.com> Date: Sun, 12 Feb 2023 20:29:52 +0100 Subject: [PATCH] Use GitHub's private vulnerability reporting --- SECURITY.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index a9ab5e99..f4ad5143 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -26,9 +26,9 @@ In this document, the term “vulnerability” is synonymous to “s **Please do not report security vulnerabilities through public GitHub issues.** -Please report security vulnerabilities via email to valentjn (a) bsplines.org. +Please report security vulnerabilities via the Security Advisory form under the Security tab in the GitHub repository ([instructions](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability)). -You can expect an initial response within 24 hours. If you do not get a response, please send a follow-up email. +You can expect an initial response within 24 hours. If you do not get a response, please send a follow-up message. In your report, please include at least the following information (as much as possible): @@ -53,7 +53,7 @@ The steps of the process of handling vulnerabilities is as follows: 7. Fix is pushed and released; [responsible disclosure](#responsible-disclosure-policy) 8. [Post-mortem analysis](#post-mortem-analysis) -You will obtain an update via email as soon as the next step has been completed, but no later than 5 days after the last update. +You will obtain an update as soon as the next step has been completed, but no later than 5 days after the last update. ## Responsible Disclosure Policy