From b4daff5fd2aa92cbe9cf50d329a20aed3925682a Mon Sep 17 00:00:00 2001 From: Nate Fischer Date: Thu, 6 Jan 2022 22:39:44 -0800 Subject: [PATCH] chore: add SECURITY.md (#1061) No change to code. This adds a security policy. Issue #1058 --- .github/SECURITY.md | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/SECURITY.md diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 0000000..1496889 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,31 @@ +# ShellJS Security Policy + +Thank you for reaching out regarding the security of the ShellJS module! Please +note that this project is maintained on a best-effort basis, however I still +intend to prioritize reviewing and addressing security issues. + +## Supported Versions + +I generally only support the latest ShellJS release (see +https://www.npmjs.com/package/shelljs). My goal is to release security fixes as +patch releases on top of whatever was most recently shipped. + +If breaking changes have already landed on the main development branch, I may +apply the patch on the relevant release branch (ex. +[`0.8-release`](https://github.com/shelljs/shelljs/commits/0.8-release) and +create a new release from there. + +## Reporting a Vulnerability + +Please report security vulnerabilities to ntfschr@gmail.com. I should respond +within a few days. Although it's not strictly required, it helps me out if you +can include any proof of concept exploit code, suggested fix, etc. + +**Please do not publicly disclose the suspected vulnerability** until I have a +chance to review your report. I'd like a chance to patch the code before the +issue is known to the public. + +Please **only** use this email for security issues. It's also OK to use the +email if you're legitimately unsure if this is a security issue (better safe +than sorry). But for all other non-security issues, please use the GitHub issue +tracker.