From e6729a0dba73702dcefc8a7ff071a2bcb9922ab3 Mon Sep 17 00:00:00 2001 From: Florian Forster Date: Fri, 15 Nov 2019 15:30:02 +0100 Subject: [PATCH] some more text --- SECURITY.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 7727307..2ab2445 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -17,18 +17,24 @@ To file a incident, please disclose by email to security@caos.ch a list with the At the moment GPG encryption is no yet supported, however you may sign your message at will. -### When should I report a vulnerability? +### When should I report a vulnerability * You think you discovered a ... * ... potential security vulnerability in the SDK * ... vulnerability in another project that this SDK bases on * For projects with their own vulnerability reporting and disclosure process, please report it directly there -### When should I NOT report a vulnerability? +### When should I NOT report a vulnerability * You need help applying security related updates * Your issue is not security related ## Security Vulnerability Response -## Public Disclosure Timing +## Public Disclosure + +All accepted and mitigated vulnerabilitys will be published on the [Github Security Page](https://github.com/caos/oidc/security/advisories) + +### Timing + +We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknow nature of the discloures the time frame can range from 7 to 90 days.