From: Sarah Hoffmann Date: Fri, 9 Jul 2021 09:36:59 +0000 (+0200) Subject: add security issue disclosure policy X-Git-Tag: v4.0.0~53^2 X-Git-Url: https://git.openstreetmap.org/nominatim.git/commitdiff_plain/5bea0b6086e3f0ba427da52da4fac7240a118068 add security issue disclosure policy --- diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..41a6f2ef --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,39 @@ +# Security Policy + +## Supported Versions + +All Nominatim releases receive security updates for two years. + +The following table lists the end of support for all currently supported +versions. + +| Version | End of support for security updates | +| ------- | ----------------------------------- | +| 3.7.x | 2023-04-05 | +| 3.6.x | 2022-12-12 | +| 3.5.x | 2022-06-05 | +| 3.4.x | 2021-10-24 | + +## Reporting a Vulnerability + +If you believe, you have found an issue in Nominatim that has implications on +security, please send a description of the issue to **security@nominatim.org**. +You will receive an acknowledgement of your mail within 3 work days where we +also notify you of the next steps. + +## How we Disclose Security Issues + +** The following section only applies to security issues found in released +versions. Issues that concern the master development branch only will be +fixed immediately on the branch with the corresponding PR containing the +description of the nature and severity of the issue. ** + +Patches for identified security issues are applied to all affected versions and +new minor versions are released. At the same time we release a statement at +the [Nominatim blog](https://nominatim.org/blog/) describing the nature of the +incident. Announcements will also be published at the +[geocoding mailinglist](https://lists.openstreetmap.org/listinfo/geocoding). + +## List of Previous Incidents + +* 2020-05-04 - [SQL injection issue on /details endpoint](https://lists.openstreetmap.org/pipermail/geocoding/2020-May/002012.html)