diff --git a/SECURITY.md b/SECURITY.md index 36b2b06..7a83995 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,20 +1,39 @@ # Security Policy -## Supported Versions +This Eclipse Foundation Project adheres to the [Eclipse Foundation Vulnerability Reporting Policy](https://www.eclipse.org/security/policy/). -| Version | Supported | -| ------- | ------------------ | -| 6.4.x | :white_check_mark: | +## How To Report a Vulnerability -## Reporting a Vulnerability +If you think you have found a vulnerability in this repository, please report it to us through coordinated disclosure. -If you think you have found a vulnerability in you can report it using one of the following ways: +**Please do not report security vulnerabilities through public issues, discussions, or change requests.** -* Contact the [Eclipse Foundation Security Team](mailto:security@eclipse-foundation.org) -* [Report a Vulnerability](https://github.com/eclipse-threadx/levelx/security/advisories/new) +Instead, [report it privately here](https://github.com/eclipse-threadx/levelx/security/advisories/new) on GitHub You can find more information about reporting and disclosure at the [Eclipse Foundation Security page](https://www.eclipse.org/security/). -## Security Policy +Please include as much of the information listed below as you can to help us better understand and resolve the issue: + +* The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting) +* Affected version(s) +* Impact of the issue, including how an attacker might exploit the issue +* Step-by-step instructions to reproduce the issue +* The location of the affected source code (tag/branch/commit or direct URL) +* Full paths of source file(s) related to the manifestation of the issue +* Configuration required to reproduce the issue +* Log files that are related to this issue (if possible) +* Proof-of-concept or exploit code (if possible) + +This information will help us triage your report more quickly. + +## Supported Versions + +| Version | Supported | +| ------- | ------------------ | +| 6.5.x | :white_check_mark: | + +Eclipse ThreadX publishes a release every quarter. There are no long-term support branches or backports to older releases. + +Normally, fixes for non-critical vulnerabilities will ship in a regularly scheduled quarterly release. If fixes for an urgent or critical vulnerability must ship quickly, then the project will publish a hotfix release of the affected component(s) without waiting for the next quarterly release. -This project follows [Eclipse Foundation Vulnerability Reporting Policy](https://www.eclipse.org/security/policy/). +You can learn more about the [project's release cadence in this blog post](https://blogs.eclipse.org/post/fr%C3%A9d%C3%A9ric-desbiens/eclipse-threadx-more-predictable-more-open).