Gitweb:
https://git.exim.org/exim.git/commitdiff/3ff0668bf4565e7f8ea4b843474ddb49cce46fed
Commit: 3ff0668bf4565e7f8ea4b843474ddb49cce46fed
Parent: e59797e3bda39abf611063fc0ba38fcb4e6596e4
Author: Phil Pennock <pdp@???>
AuthorDate: Wed Jun 19 15:37:19 2019 -0400
Committer: Phil Pennock <pdp@???>
CommitDate: Wed Jun 19 15:37:19 2019 -0400
Add a security page in a place where GitHub will detect it
---
SECURITY.md | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..5580a8c
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,30 @@
+# Security Policy
+
+## Supported Versions
+
+We are an open source project with no corporate sponsor and no formal
+"support". In practice, we support the latest released version and work with
+OS vendors to make it easy for them to backport fixes for their distributed
+packages. For some security issues, we will issue a patch-release which has
+just a simple fix.
+
+We also often have `exim_VERSION+fixes` branches with small things which we
+recommend that vendors use.
+
+For postmasters installing Exim manually, we recommend always using the latest
+released tarball.
+
+## Reporting a Vulnerability
+
+Our security page is at <
https://wiki.exim.org/EximSecurity>.
+It contains the current contact point and list of PGP keys to use for
+encrypting particularly sensitive information.
+This also links to our documentation and the chapter on security
+considerations.
+
+Our security release process is at
+<
https://wiki.exim.org/SecurityReleaseProcess>.
+This covers what we do in handling vulnerability reports.
+
+We have no bug bounty program of our own; we're far too disparate a group of
+volunteers for such things.
