33 lines
1.5 KiB
Markdown
33 lines
1.5 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
Security updates are applied to the latest MINOR version of Jekyll, and the version used by GitHub Pages, v3.9.x.
|
|
|
|
| Version | Supported |
|
|
| ------- | ------------------ |
|
|
| 4.2.x | :white_check_mark: |
|
|
| 3.9.x | :white_check_mark: |
|
|
| < 3.9.x | :x: |
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
Please report vulnerabilities by sending an email to security@jekyllrb.com with the following information:
|
|
|
|
1. A description of the vulnerability
|
|
2. Reproduction steps and/or a sample site (share a private repo to the [Jekyll Security Team](docs/pages/team.md))
|
|
3. Your contact information
|
|
|
|
The Jekyll security team will respond to your submission and notify you whether it has been confirmed by the team.
|
|
Your confidentiality is kindly requested as we work on a fix. We will provide our patch to you to test and verify that the vulnerability has
|
|
been closed.
|
|
|
|
If you have created a patch and would like to submit that to us as well, we will happily consider it though we cannot guarantee that we will
|
|
use it. If we use your patch, we will attribute authorship to you either as the commit author, or as a co-author.
|
|
|
|
Once a fix is verified, we will release PATCH versions of the supported MINOR versions and assign a CVE to the vulnerability. You will receive
|
|
credit in our release post.
|
|
|
|
Once the patched version has been released, we will no longer request you to maintain confidentiality and you may choose to share details on
|
|
how you found the vulnerability with the community.
|