.. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. .. _vulnerabilities: Airship Security Vulnerability Management ========================================= The Airship community is committed to expediently confirming, resolving, and disclosing all reported security vulnerabilities. We appreciate your cooperation and participation in our vulnerability management process outlined below. Report a Vulnerability ---------------------- If you discover a vulnerability in an Airship project, please treat the issue with a sense of confidentiality and disclose it to the `airship-security mailing list`_: airship-security@lists.airshipit.org Additionally, please include any potential fixes, as doing so can expedite the disclosure and patching processes. The Airship Working Committee is the sole subscriber of the `airship-security mailing list`_ and monitors it for reported vulnerabilities. The committee confirms or rejects reported vulnerabilities in correspondence with the vulnerability reporter. In the event that the Airship Working Committee does not have the expertise or availability to resolve a reported vulnerability, the committee may solicit assistance from outside contributors to better facilitate the understanding and resolution of reported security vulnerabilities. Receive Early Disclosures ------------------------- We prefer to disclose confirmed security vulnerabilities as soon as possible. While circumstances may not always allow immediate disclosure, vulnerabilities may be disclosed over the `airship-embargo-notice mailing list`_ when a fix becomes available. The airship-embargo-notice mailing list notifies Airship users of confirmed vulnerabilities. If you operate Airship in a production environment, we recommend subscribing to the `airship-embargo-notice mailing list`_ by contacting the Airship Working Committee. The Airship Working Committee evaluates subscription requests on a case-by-case basis. Receive Public Disclosures -------------------------- Within ninety days of the initial vulnerability report, except in unusual circumstances, the Airship Working Committee will publicly disclose the reported vulnerability and its mitigation over the `airship-announce`_ and `airship-discuss`_ mailing lists. If a fix merges before the aforementioned ninety day period expires, the Airship Working Committee will instead disclose the vulnerability and fix twenty-one days later. We recommend subscribing to both mailing lists in order to receive security updates. .. _airship-security mailing list: http://lists.airshipit.org/cgi-bin/mailman/listinfo/airship-security .. _airship-embargo-notice mailing list: http://lists.airshipit.org/cgi-bin/mailman/listinfo/airship-embargo-notice .. _airship-announce: http://lists.airshipit.org/cgi-bin/mailman/listinfo/airship-announce .. _airship-discuss: http://lists.airshipit.org/cgi-bin/mailman/listinfo/airship-discuss