Igor Lins e Silva
625162edd3
Builds on @Yorji-Porji's draft by fixing three issues before it lands:
- Replace the `< 1.0.0` placeholder table with MemPalace's actual
support policy: current major (3.x) receives fixes, 2.x and earlier
do not.
- Remove the `[Insert Maintainer Email Here]` placeholder and the
email fallback. GitHub Private Vulnerability Reporting is enabled
on this repo; the policy points there exclusively so there is no
risk of a researcher emailing a dead address.
- Drop the meta-note ("Adjust the table above…") that was an
instruction to the maintainer, not policy text.
Structure, triage timelines, and credit language are kept as drafted.
34 lines
1.3 KiB
Markdown
34 lines
1.3 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
MemPalace follows semantic versioning. Security fixes land on the current major version line.
|
|
|
|
| Version | Supported |
|
|
| ------------------ | --------- |
|
|
| 3.x (current) | Yes |
|
|
| 2.x and earlier | No |
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
**Please do not report security vulnerabilities through public GitHub issues.**
|
|
|
|
We take the security of MemPalace seriously. If you believe you have found a security vulnerability, please report it privately using **GitHub Private Vulnerability Reporting**:
|
|
|
|
1. Open the [Security tab](https://github.com/MemPalace/mempalace/security) of this repository.
|
|
2. Click **Advisories** → **Report a vulnerability**.
|
|
3. Fill in the form with the details below.
|
|
|
|
### What to include in your report
|
|
|
|
- A descriptive summary of the vulnerability.
|
|
- Detailed steps to reproduce the issue (including any proof-of-concept scripts or specific file paths).
|
|
- The affected version(s) and platform(s).
|
|
- The potential impact and severity.
|
|
|
|
### What to expect
|
|
|
|
- We aim to acknowledge receipt within 48 hours.
|
|
- We will triage the issue and keep you updated on progress toward a patch.
|
|
- Once the vulnerability is resolved and an update is released, we will publish a security advisory and credit you for the discovery (if you wish to be credited).
|