dan
/
jekyll
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add Security Policy document (#8823) 

Merge pull request 8823
This commit is contained in:
Parker Moore 2021-12-16 09:17:36 -05:00 committed by GitHub
parent 2abf1787ca
commit 5aeb2bfe4e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 41 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
SECURITY.md Normal file
View File

@ -0,0 +1,32 @@
# Security Policy
## Supported Versions
Security updates are applied to the latest MINOR version of Jekyll, and the version used by GitHub Pages, v3.9.x.
| Version | Supported |
| ------- | ------------------ |
| 4.2.x | :white_check_mark: |
| 3.9.x | :white_check_mark: |
| < 3.9.x | :x: |
## Reporting a Vulnerability
Please report vulnerabilities by sending an email to security@jekyllrb.com with the following information:
1. A description of the vulnerability
2. Reproduction steps and/or a sample site (share a private repo to the [Jekyll Security Team](docs/pages/team.md))
3. Your contact information
The Jekyll security team will respond to your submission and notify you whether it has been confirmed by the team.
Your confidentiality is kindly requested as we work on a fix. We will provide our patch to you to test and verify that the vulnerability has
been closed.
If you have created a patch and would like to submit that to us as well, we will happily consider it though we cannot guarantee that we will
use it. If we use your patch, we will attribute authorship to you either as the commit author, or as a co-author.
Once a fix is verified, we will release PATCH versions of the supported MINOR versions and assign a CVE to the vulnerability. You will receive
credit in our release post.
Once the patched version has been released, we will no longer request you to maintain confidentiality and you may choose to share details on
how you found the vulnerability with the community.

9
docs/pages/team.md
View File

@ -12,6 +12,15 @@ community around the Jekyll ecosystem thrive._
* Ashwin (@ashmaroli)
* Matt (@mattr-)
## Security Team
_The Jekyll Security Team's responsibility is to triage, validate, and
patch security vulnerabilities reported to them._
* Parker (@parkr)
* Ashwin (@ashmaroli)
* Matt (@mattr-)
## Emeritus Core Team Members
_Emeritus Core Team Members were once members of Jekyll's Core Team._