9 lines
951 B
Markdown
9 lines
951 B
Markdown
# Security vulnerability disclosure
|
|
|
|
If you discover a security vulnerability, you can report it to us via any of the below channels:
|
|
- Open an issue of type "Security" on the [issue tracker](https://issues.iceshrimp.dev/). Make sure to set "Confidential" to "Yes" if the vulnerability details are not already public.
|
|
- Send your PGP key to security@iceshrimp.dev. After secure communication is established, send us the vulnerability details as an encrypted message.
|
|
|
|
This will allow us to assess the risk & make a fix available before the vulnerability is disclosed publicly.
|
|
|
|
Note that in the case of coordinated disclosure, once the severity has been established to be high/critical & patches are ready, we will set a cutoff date (within reason), at which point we'll release the patches regardless of the state of the coordinated disclosure. This is to prevent excessive delays caused by bikeshedding or similar behavior by coordination partners.
|