github.com/treeverse/lakefs@v1.24.1-0.20240520134607-95648127bfb0/SECURITY.md

# Security Policy

## Supported Versions

To receive latest security and regular updates, users should stay up to date on all
releases.  Prior to the release of a 1.0.0 version only the latest released version
will receive all security updates.

Please contact us at https://lakefs.io/contact-us/ if you need security updates for
an earlier version.

| Version | Supported          |
| ------- | ------------------ |
| latest  | :white_check_mark: |
| < latest| :x: |

## Staying Up to Date

We announce all releases on the [lakefs-releases][slack-lakefs-releases] channel of
our Slack workspace.  There is also a mailing list for security announcements which
you can join: [security-announce@treeverse.io][security-mailing-list].

## Reporting a Vulnerability

We take the security of lakeFS seriously.  You can help us by following responsible
disclosure guidelines.

If you believe you’ve discovered a serious vulnerability, please report it to us by
emailing security@treeverse.io.  Please **do _NOT_** open an issue as GitHub issues
are publicly discoverable.  We acknowledge reports within 24 hours.  We will report
progress to the email used for reporting.

We will evaluate your report and if necessary issue a fix and an advisory. We would
like to credit you if the issue was unknown to us prior to your report; please tell
us if you would prefer that we do not.

We will work to release a fix within 90 days.  In rare conditions we may request an
additional 14 days to release a fix.  This is in line with disclosure policies such
as those of [Google Project Zero][project-zero-policy].  Hopefully we shall release
a fix well before then.

[project-zero-policy]: https://googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html
[slack-lakefs-releases]: https://lakefs.slack.com/archives/C017S6YFFSP
[security-mailing-list]: https://groups.google.com/g/lakefs-security-announce