mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 17:40:50 +02:00
c6837a96c5
Add SECURITY-POLICY.md and SECURITY-REPORT-TEMPLATE.md at the repository root and replace the .github/SECURITY.md stub with a short pointer. SECURITY-POLICY.md is intentionally terse and discretionary, matching OpenSSL and Mbed TLS practice. It states the CVE-filing criterion, severity tiers, categories not considered CVE-eligible, coordinated- disclosure practice, and credit. SECURITY-REPORT-TEMPLATE.md is a structured report template whose use is mandatory for CVE consideration. It requires a reachability trace, attacker model, working proof-of-concept, and a related-work check against open pull requests and recent commits. All reports route to support@wolfssl.com.
783 B
783 B
Security Policy
Reporting a Vulnerability
Use of the wolfSSL Vulnerability Report Template is mandatory. All security reports must use SECURITY-REPORT-TEMPLATE.md, with every required field completed. Reports that do not use the template, or that leave required fields incomplete, will not receive CVE consideration.
Submit the completed template to support@wolfssl.com.
Non-template submissions may still be reviewed on the merits and, where appropriate, addressed as hardening fixes in a future release.
Please keep the vulnerability private until a fix has been released.
For the full policy — severity rubric, coordinated-disclosure practice, and reporter credit — see SECURITY-POLICY.md.