From fde6cac7a2e893caa56a36db6d3a03d7538084f8 Mon Sep 17 00:00:00 2001 From: Pierre Goiffon Date: Tue, 13 Dec 2022 18:15:25 +0100 Subject: [PATCH] :memo: SECURITY: Add disclosure policy (#372) Co-authored-by: Molkobain --- SECURITY.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 0c0cd411f..32bc99768 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -18,8 +18,7 @@ to [itop-security@combodo.com](mailto:itop-security@combodo.com). -## 📆 Disclosure Policy - +## 🔍 Combodo acknowledgment and investigation Report sent to us will be acknowledged within the week. Then, a Combodo developer will be assigned to the reported issue and will: @@ -34,3 +33,12 @@ Then, a Combodo developer will be assigned to the reported issue and will: Security issues always take precedence over bug fixes and feature work. The assignee will keep you informed of the resolution progress, and may ask you for additional information or guidance. + + +## 📆 Disclosure Policy +Once the fix is done and acknowledged by every stakeholder, it will be included in the next iTop version. +Mind we have at least 2 active branches (LTS and STS, see [iTop Community Releases [iTop Documentation]](https://www.itophub.io/wiki/page?id=latest:release:start)) + +The release communications will include the information of the vulnerability fix. + +Corresponding GitHub advisories and CVE will be published 3 months after the iTop version release date so that iTop instances can be updated.