github.com/caos/orbos@v1.5.14-0.20221103111702-e6cd0cea7ad4/SECURITY.md (about) 1 # Security Policy 2 3 At CAOS we are extremely grateful for security aware people that disclose vulnerabilities to us and the open source community. All reports will be investigated by our team. 4 5 ## Supported Versions 6 7 The following version support applies 8 9 | Version | Supported | 10 | ------- | ------------------ | 11 | 5.x.x | :white_check_mark: | 12 | 4.x.x | :white_check_mark: | 13 | 3.x.x | :white_check_mark: | 14 | 2.x.x | :white_check_mark: | 15 | 1.x.x | :white_check_mark: | 16 | 0.x.x | :x: | 17 18 ## Reporting a vulnerability 19 20 To file a incident, please disclose by email to security@caos.ch with the security details. 21 22 At the moment GPG encryption is no yet supported, however you may sign your message at will. 23 24 ### When should I report a vulnerability 25 26 * You think you discovered a ... 27 * ... potential security vulnerability in orbos 28 * ... vulnerability in another project that orbos bases on 29 * For projects with their own vulnerability reporting and disclosure process, please report it directly there 30 31 ### When should I NOT report a vulnerability 32 33 * You need help applying security related updates 34 * Your issue is not security related 35 36 ## Security Vulnerability Response 37 38 TBD 39 40 ## Public Disclosure 41 42 All accepted and mitigated vulnerabilitys will be published on the [Github Security Page](https://github.com/caos/orbos/security/advisories) 43 44 ### Timing 45 46 We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the discloures the time frame can range from 7 to 90 days.