Files
wolfssl/.github/SECURITY.md
T
Colton Willey c6837a96c5 Publish wolfSSL Security Policy and Vulnerability Report Template
Add SECURITY-POLICY.md and SECURITY-REPORT-TEMPLATE.md at the repository
root and replace the .github/SECURITY.md stub with a short pointer.

SECURITY-POLICY.md is intentionally terse and discretionary, matching
OpenSSL and Mbed TLS practice. It states the CVE-filing criterion,
severity tiers, categories not considered CVE-eligible, coordinated-
disclosure practice, and credit.

SECURITY-REPORT-TEMPLATE.md is a structured report template whose use is
mandatory for CVE consideration. It requires a reachability trace,
attacker model, working proof-of-concept, and a related-work check
against open pull requests and recent commits.

All reports route to support@wolfssl.com.
2026-04-22 18:53:38 -07:00

14 lines
783 B
Markdown

# Security Policy
## Reporting a Vulnerability
**Use of the wolfSSL Vulnerability Report Template is mandatory.** All security reports must use [`SECURITY-REPORT-TEMPLATE.md`](../SECURITY-REPORT-TEMPLATE.md), with every required field completed. Reports that do not use the template, or that leave required fields incomplete, will not receive CVE consideration.
Submit the completed template to **support@wolfssl.com**.
Non-template submissions may still be reviewed on the merits and, where appropriate, addressed as hardening fixes in a future release.
**Please keep the vulnerability private** until a fix has been released.
For the full policy — severity rubric, coordinated-disclosure practice, and reporter credit — see [`SECURITY-POLICY.md`](../SECURITY-POLICY.md).