From f1eaf4c2ccff754ae064bc8daba4f94084eb41ec Mon Sep 17 00:00:00 2001 From: Konstantin Wohlwend Date: Thu, 8 Aug 2024 22:01:44 -0700 Subject: [PATCH] Update security policy --- .github/SECURITY.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index d4a2dc16c..0d7a3a45c 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -4,14 +4,12 @@ Only the latest versions of Stack's server and client packages are supported. We do not provide security updates for older versions. +If you would like to get security consulting regarding older versions of on-prem or self-hosted deployments of Stack, please [contact us](mailto:team@stack-auth.com). + ## Reporting a Vulnerability -Stack Auth practices [responsible disclosure](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure). +Stack Auth practices [responsible disclosure](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure). This helps us protect our users, but requires your cooperation. -Please disclose security vulnerabilities responsibly by emailing us at responsible-disclosure@stack-auth.com. In this case: +Please disclose security vulnerabilities responsibly by emailing us at security@stack-auth.com. In this case, we will get back to you within 96 hours, and aim to get a fix released as soon as possible. We will disclose the issue publicly after at most 90 days. -- We will get back to you within 96 hours. -- We will aim to get a fix released within 30 days, and disclose the issue, crediting you. -- If we are unable to fix the issue within 90 days, we will disclose the issue publicly. - -Please do not create GitHub issues with security vulnerabilities; instead, email us directly at the address above. +Hence, we ask you not to publicize issues until the 90 days deadline is over. Also, please do not create GitHub issues with security vulnerabilities; instead, email us directly at the address above.