Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create SECURITY.md #751

Merged
merged 5 commits into from
Jan 23, 2024
Merged

Create SECURITY.md #751

Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
5a24f30
Create SECURITY.md
juhoinkinen Dec 11, 2023
efdd9ad
Update SECURITY.md
juhoinkinen Dec 12, 2023
9b561f5
Update SECURITY.md
juhoinkinen Dec 13, 2023
f4046c2
Update SECURITY.md
juhoinkinen Jan 22, 2024
058fd63
Update SECURITY.md
juhoinkinen Jan 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Update SECURITY.md
  • Loading branch information
@juhoinkinen
juhoinkinen committed Dec 12, 2023
commit efdd9ad66cfec5a05c8f121aae126f3e1ff8ca67
29 changes: 16 additions & 13 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,18 @@

## Supported Versions

We aim to update all Annif dependencies to their latest versions
on each Annif minor version release, but this can be restricted by the
[backward compatibility policy](https://github.com/NatLibFi/Annif/wiki/Backward-compatibility-between-Annif-releases).
The [most recent Annif (major/minor) release](https://github.com/NatLibFi/Annif/releases)
is considered supported,
in the sense that if a serious bug or vulnerability is encountered in it,
a patch release is made to fix the issue.

However, the [dependencies of a given Annif release](https://github.com/NatLibFi/Annif/blob/main/pyproject.toml)
Generally, we aim to update all dependencies to their latest versions
on each Annif major/minor release, but this can be restricted by the
[backward compatibility policy](https://github.com/NatLibFi/Annif/wiki/Backward-compatibility-between-Annif-releases).
However, note that the [dependencies of a given Annif release](https://github.com/NatLibFi/Annif/blob/main/pyproject.toml)
are pinned only on minor version level, so all patch level fixes of dependencies
can be applied to an Annif installation just by running
`pip install annif --upgrade`.
can be applied to an Annif installation
(either manually updating the outdated packages or recreating the virtual environment and reinstalling Annif).

### Docker image
The Docker image of the latest Annif release in the
Expand Down Expand Up @@ -38,11 +42,10 @@ Each security concern will be assigned to a handler from our team,
who will contact you if there's a need for additional information.
We confirm the problem and keep you informed of the fix.

Please include the following information along with your report:
Make sure to add the following details when submitting your report:

- A descriptive title, clearly stating the nature and object software (Annif) of the report.
- Your name and affiliation (if any).
- A description of the technical details of the vulnerabilities.
- A minimal example of the vulnerability.
- An explanation of who can exploit this vulnerability, and what they gain when doing so.
- Whether this vulnerability is public or known to third parties. If it is, please provide details.
- A clear and descriptive title that outlines the report's subject and the software it pertains to (Annif).
- Break down the technical aspects of the vulnerability in your description.
- A minimal example showcasing the vulnerability.
- An explanation who has the potential to exploit this vulnerability and the benefits they would derive from doing so.
- Whether the vulnerability is public knowledge or known to third parties, and if so, share relevant details.
Loading