Add SECURITY.md

rofl0r · web-flow · commit e69788b761dd · 2024-05-05T20:56:17.000+02:00
given the catastrophic way TALOS Intelligence "communicated" with upstream
(i.e. by probably sending a single mail to an unused email address),
it's probably best to explicitly document how to approach upstream
when a security issue is discovered.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,28 @@
+# Security Policy
+
+## Supported Versions
+
+| Version   | Supported          |
+| --------- | ------------------ |
+| 1.11.x    | :white_check_mark: |
+| <= 1.10.x | :x:                |
+
+## Reporting a Vulnerability
+
+Open a public issue on github. The issue will most likely be fixed
+within a day, unless all maintainers happen to just be taking a
+vacation at the same time, which is unlikely.
+
+Even then, having the bug publicly known will allow competent people
+to come up with custom patches for distros, most likely quicker
+than black hats can craft a remote execution exploit.
+
+If you really really do not want to make the issue public, come
+to the tinyproxy IRC channel and ask for a maintainer, which you
+can then contact via private messages.
+
+Do not, however, like ["TALOS Intelligence"](https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889)
+pull a random email address out of git log, then send an email
+nobody reads or responds to, and wait for 6 months for publication.
+this only gives black hats plenty time to sell, use and circulate
+zero days and get the best possible ROI.
