Skip to content

Commit

Permalink
pull
Browse files Browse the repository at this point in the history
  • Loading branch information
niccokunzmann committed Dec 23, 2024
1 parent e43536e commit e2e02b4
Showing 1 changed file with 31 additions and 9 deletions.
40 changes: 31 additions & 9 deletions docs/security.rst
Original file line number Diff line number Diff line change
Expand Up @@ -15,20 +15,42 @@ Security vulnerabilities are fixed only for the latest version of ``icalendar``.
* - Version
- Supported
* - 6.*
-
- YES
* - 5.*
-
- no
* - 4.*
-
- no
* - < 4.*
-
- no


Reporting a Vulnerability
-------------------------

Please `report vulnerabilities of icalendar to Plone
<https://github.com/plone/.github/blob/main/SECURITY.md#readme>`_.
If you cannot do this, please contact one of the
:ref:`maintainers`
directly or open an issue.
To report security issues of ``collective/icalendar``, use the ``Report a vulnerability`` button on the project's `Security Page <https://github.com/collective/icalendar/security>`_.
If you cannot do this, please contact one of the :ref:`maintainers` directly.

If we determine that your report may be a security issue with the project, we may contact you for further information.
We volunteers ask that you delay public disclosure of your report for at least ninety (90) days from the date you report it to us.
This will allow sufficient time for us to process your report and coordinate disclosure with you.

Once verified and fixed, the following steps will be taken:

- We will use GitHub's Security Advisory tool to report the issue.
- GitHub will review our Security Advisory report for compliance with Common Vulnerabilities and Exposures (CVE) rules.
If it is compliant, they will submit it to the MITRE Corporation to generate a `CVE <https://www.cve.org/>`_.
This in turn submits the CVE to the `National Vulnerability Database (NVD) <https://nvd.nist.gov/vuln/search>`_.
GitHub notifies us of their decision.
- Assuming it is compliant, we then publish our Security Advisory on GitHub, which triggers the next steps.
- GitHub will publish the CVE to the CVE List.
- GitHub will broadcast our Security Advisory via the `GitHub Advisory Database <https://github.com/advisories`_.
- GitHub will send `security alerts <https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies>`_ to all repositories that use our package (and have opted into security alerts).
This includes Dependabot alerts.
- We will make a bug-fix release.
- We will send an announcement through our usual channels:

- The GitHub release
- The GitHub discussions
- The `Plone Community Forum <https://community.plone.org/>`_

- We will provide credit to the reporter or researcher in the vulnerability notice.

0 comments on commit e2e02b4

Please sign in to comment.