diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..eb11217f1 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,38 @@ +# Security Policy + +## Supported Versions + +The table below explains the current state of our versions. Currently, only version +3.4 and higher are supported and receive security updates. Versions lower than 3.4 +are considered End of Life and will not receive any security updates. + +| Version | Branch | Security Updates | End of Life | +|---------------|------------|--------------------|--------------------| +| < 2.0 | master | :x: | :white_check_mark: | +| >= 2.0, < 3.0 | develop | :x: | :white_check_mark: | +| >= 3.0, < 3.4 | V3/develop | :x: | :white_check_mark: | +| >= 3.4 | V3/develop | :white_check_mark: | :x: | + + +## Reporting a Vulnerability + +For reporting vulnerabilities within Red-DiscordBot we make use of GitHub's +private vulnerability reporting feature (More information can be found +[here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability)). +This ensures that all maintainers and key members have access to the reported +vulnerability. + +### Opening a Vulnerability Report + +To open a vulnerability report please fill out [this form](https://github.com/Cog-Creators/Red-DiscordBot/security/advisories/new) + +You will be asked to provide a summary, details and proof of concept for your vulnerability report. +We ask that you fill out this form to the best of your ability, with as many details as possible. +Furthermore, you'll be asked to provide affected products and severity. +These fields are optional and will be filled appropriately by the maintainers if not provided. + +### Timeline + +We will try to answer your report within 7 days. If you haven't received an answer by then, we suggest you reach +out to us privately. This can best be done via our [Discord server](https://discord.gg/red), and contacting +a member who has the Staff role.