From 5bc3a6fb3db10a843ddfa98670e3d4d5d78decfe Mon Sep 17 00:00:00 2001 From: JeremyDev87 Date: Sat, 9 May 2026 10:24:48 +0900 Subject: [PATCH] =?UTF-8?q?docs(security):=20v1=20=EC=A7=80=EC=9B=90=20?= =?UTF-8?q?=EC=A0=95=EC=B1=85=20=EC=A0=95=EC=8B=9D=ED=99=94?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SECURITY.md의 early-development 문구를 제거하고 v1.0 이후 지원 정책을 master 기준으로 정리합니다. Closes #84 --- SECURITY.md | 40 ++++++++++++++++++++++++++-------------- 1 file changed, 26 insertions(+), 14 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 89f82bc..3258b98 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,15 +2,26 @@ ## Supported Versions -Kratos is in early development. Security fixes are currently applied to the -latest code on `main` and the most recent published release once releases -exist. - -| Version | Supported | -| --- | --- | -| `main` | Yes | -| Latest release | Yes | -| Older releases | No | +Kratos security support starts with the v1.0 release line. Security fixes are +prepared on the default development branch, `master`, and released through the +supported release lines below. + +| Version or branch | Supported | Policy | +| --- | --- | --- | +| `master` | Yes | Default development branch for unreleased security fixes. | +| Latest release | Yes | Newest published stable release. | +| Current major | Yes | Supported release line sharing the latest stable major version, such as `1.x` for v1.0. | +| Older releases | No | Earlier major versions and pre-v1.0 releases are unsupported unless maintainers announce an exception. | + +Definitions: + +- Latest release means the newest stable GitHub release or tag published from + `master`. +- Current major means the active stable major release line that contains the + latest release. For v1.0, this is the `1.x` line. +- Older releases means pre-v1.0 releases and any major release line older than + the current major. Upgrade to the latest supported release before requesting + a security fix. ## Reporting a Vulnerability @@ -18,12 +29,13 @@ Please do not report security vulnerabilities in public GitHub issues, discussions, or pull requests. If GitHub Private Vulnerability Reporting is enabled for this repository, use -that channel first. +that channel first. It is the preferred way to share vulnerability details with +the maintainers. -If private reporting is not available yet, open a minimal public issue that -does **not** include exploit details and request a private contact channel from -the maintainers. Keep proof-of-concept code, payloads, and reproduction steps -private until a secure channel is established. +If Private Vulnerability Reporting is not available, open a minimal public +issue that does **not** include exploit details and request a private contact +channel from the maintainers. Keep proof-of-concept code, payloads, and +reproduction steps private until a secure channel is established. When reporting a vulnerability, please include: