summaryrefslogtreecommitdiff
path: root/SECURITY.md
diff options
context:
space:
mode:
Diffstat (limited to 'SECURITY.md')
-rw-r--r--SECURITY.md30
1 files changed, 16 insertions, 14 deletions
diff --git a/SECURITY.md b/SECURITY.md
index 3a8381140c..c0cb40cbde 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,24 +2,26 @@
## Supported Versions
-We provide security updates for the following releases.
+We provide security updates for `develop` and for the last two
+stable (`0.x`) release series of Spack. Security updates will be
+made available as patch (`0.x.1`, `0.x.2`, etc.) releases.
+
For more on Spack's release structure, see
[`README.md`](https://github.com/spack/spack#releases).
+## Reporting a Vulnerability
-| Version | Supported |
-| ------- | ------------------ |
-| develop | :white_check_mark: |
-| 0.19.x | :white_check_mark: |
-| 0.18.x | :white_check_mark: |
+You can report a vulnerability using GitHub's private reporting
+feature:
-## Reporting a Vulnerability
+1. Go to [github.com/spack/spack/security](https://github.com/spack/spack/security).
+2. Click "Report a vulnerability" in the upper right corner of that page.
+3. Fill out the form and submit your draft security advisory.
-To report a vulnerability or other security
-issue, email maintainers@spack.io.
+More details are available in
+[GitHub's docs](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability).
-You can expect to hear back within two days.
-If your security issue is accepted, we will do
-our best to release a fix within a week. If
-fixing the issue will take longer than this,
-we will discuss timeline options with you.
+You can expect to hear back about security issues within two days.
+If your security issue is accepted, we will do our best to release
+a fix within a week. If fixing the issue will take longer than
+this, we will discuss timeline options with you.