feat(docs): Add a security policy for disclosing vulnerabilities

Talkless · Mar 11, 2022 · a99735d · a99735d
1 parent 4f9ca0a
commit a99735d
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,22 @@
+# Security Policy
+
+## Supported Versions
+
+The latest release of qTox is supported. Any security fix will be added to a new
+version on top of it.
+
+## Reporting a Vulnerability
+
+Please report vulnerabilities by Tox to
+[anthonybilinski](tox:AC18841E56CCDEE16E93E10E6AB2765BE54277D67F1372921B5B418A6B330D3D3FAFA60B0931)
+and [sudden6](tox:7FA177896407DACE01A1C1E5A56445E839280AE1B2520146C9473B4DA04B774257E7E30F871F).
+If that's not an option, please email [me@abilinski](mailto:[email protected]) with GPG fingerprint `7EB3 39FE 8817 47E7 01B7  D472 EBE3 6E66 A842 9B99` and [[email protected]](mailto:[email protected]) with GPG fingerprint `DA26 2CC9 3C0E 1E52 5AD2  1C85 9677 5D45 4B8E BF44`.
+
+We should get back to you within a week. If the vulnerability is qTox specific
+and accepted, there should be a new release addressing the vulnerability within
+a couple of weeks. If we disagree with the vulnerability analysis, we will
+answer explaining our reasoning.
+
+If the vulnerability is related to a dependency of qTox, we will follow the
+disclosure policy of that project. If a fix from the project isn't imminent and
+it's possible, we will mitigate the issue in qTox.