diff --git a/.github/SECURITY.md b/.github/SECURITY.md index a5b9a7cf010..85b059eac4a 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -2,12 +2,26 @@ ## Reporting a Vulnerability -**Use of the wolfSSL Vulnerability Report Template is mandatory.** All security reports must use [`SECURITY-REPORT-TEMPLATE.md`](../SECURITY-REPORT-TEMPLATE.md), with every required field completed. Reports that do not use the template, or that leave required fields incomplete, will not receive CVE consideration. +**Use of the wolfSSL Vulnerability Report Template is mandatory.** All security +reports must use [`SECURITY-REPORT-TEMPLATE.md`](../SECURITY-REPORT-TEMPLATE.md), +with every required field completed. Reports that do not use the template, or +that leave required fields incomplete, will not receive CVE consideration. -Submit the completed template to **support@wolfssl.com**. +Submit the completed template to **support@wolfssl.com**. You may also send it to +**secure@wolfssl.com** and encrypt it with our PGP key: -Non-template submissions may still be reviewed on the merits and, where appropriate, addressed as hardening fixes in a future release. + Fingerprint: A2A4 8E7B CB96 C5BE CB98 7314 EBC8 0E41 5CA2 9677 + Key server: keys.openpgp.org + +Non-template submissions may still be reviewed on the merits and, where +appropriate, addressed as hardening fixes in a future release. **Please keep the vulnerability private** until a fix has been released. -For the full policy — severity rubric, coordinated-disclosure practice, and reporter credit — see [`SECURITY-POLICY.md`](../SECURITY-POLICY.md). +## Full Policy + +For the full policy — severity rubric, scope, coordinated-disclosure practice, +and reporter credit — see [`SECURITY-POLICY.md`](../SECURITY-POLICY.md). The same +policy is also published at + so that +other wolfSSL repositories can reference one canonical copy.