[arvados] created: 2.1.0-2816-gf1e7c6e00

git repository hosting git at public.arvados.org
Wed Aug 3 19:27:59 UTC 2022 

        at  f1e7c6e0018d276aae506b52ce18e7c31bf48479 (commit)


commit f1e7c6e0018d276aae506b52ce18e7c31bf48479
Author: Peter Stöckli <p- at github.com>
Date:   Wed Aug 3 17:49:08 2022 +0200

    19328: Add security policy
    
    Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>

diff --git a/.licenseignore b/.licenseignore
index 203c378bd..6ddb5c009 100644
--- a/.licenseignore
+++ b/.licenseignore
@@ -92,3 +92,4 @@ sdk/cwl/tests/wf/hello.txt
 sdk/cwl/tests/wf/indir1/hello2.txt
 sdk/cwl/tests/chipseq/data/Genomes/*
 CITATION.cff
+SECURITY.md
\ No newline at end of file
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..4e16ed5f7
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,42 @@
+# Arvados Project Security Policy
+
+## Supported Versions
+
+The Arvados project will issue security fixes by making point releases
+on the current stable release series (X.Y.0, X.Y.1, X.Y.2, etc).
+
+The most recent stable release version, along with release notes and
+upgrade notes documenting security fixes, can be found at these
+locations:
+
+https://arvados.org/releases/
+
+https://doc.arvados.org/admin/upgrading.html
+
+The Arvados project does not support versions older than the current
+stable release except by special arrangement (contact info at curii.com).
+
+Release announcements, including notification of security fixes, are
+sent to the Arvados announcement list:
+
+https://lists.arvados.org//mailman/listinfo/arvados
+
+## Reporting Security Issues
+
+If you believe you have found a security vulnerability in any Arvados-owned repository, please report it to us through coordinated disclosure.
+
+**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
+
+Instead, please send an email to dev at curii.com.
+
+Please include as much of the information listed below as you can to help us better understand and resolve the issue:
+
+  * The type of issue (e.g., remote code execution, SQL injection, or cross-site scripting)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list