diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2018-08-30 11:46:41 -0400 |
|---|---|---|
| committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2018-08-30 11:46:41 -0400 |
| commit | b7114e96127863a8b28d79adaeba864b0c51a2b0 (patch) | |
| tree | 921bc087017b4162c8265d936f84e4484d5f166b /docs/security.rst | |
| parent | 002fa75d6c57420ed1805e088e1d6ecbce880938 (diff) | |
| download | cryptography-b7114e96127863a8b28d79adaeba864b0c51a2b0.tar.gz cryptography-b7114e96127863a8b28d79adaeba864b0c51a2b0.tar.bz2 cryptography-b7114e96127863a8b28d79adaeba864b0c51a2b0.zip | |
Update our security documentation to match what we actually do (#4430)
* Update our security documentation to match what we actually do
* If you stand for nothing Burr, what will you fall for?
Diffstat (limited to 'docs/security.rst')
| -rw-r--r-- | docs/security.rst | 44 |
1 files changed, 7 insertions, 37 deletions
diff --git a/docs/security.rst b/docs/security.rst index 251d2d95..01845a48 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -82,42 +82,12 @@ strongly recommend that you upgrade as soon as possible. Disclosure Process ------------------ -Our process for taking a security issue from private discussion to public -disclosure involves multiple steps. - -Approximately one week before full public disclosure, we will send advance -notification of the issue to a list of people and organizations, primarily -composed of operating-system vendors and other distributors of -``cryptography``. This notification will consist of an email message -containing: - -* A full description of the issue and the affected versions of - ``cryptography``. -* The steps we will be taking to remedy the issue. -* The patches, if any, that will be applied to ``cryptography``. -* The date on which the ``cryptography`` team will apply these patches, issue - new releases, and publicly disclose the issue. - -Simultaneously, the reporter of the issue will receive notification of the date -on which we plan to take the issue public. - -On the day of disclosure, we will take the following steps: - -* Apply the relevant patches to the ``cryptography`` repository. The commit - messages for these patches will indicate that they are for security issues, - but will not describe the issue in any detail; instead, they will warn of - upcoming disclosure. -* Issue the relevant releases. -* Post a notice to the cryptography mailing list that describes the issue in - detail, point to the new release and crediting the reporter of the issue. - -If a reported issue is believed to be particularly time-sensitive – due to a -known exploit in the wild, for example – the time between advance notification -and public disclosure may be shortened considerably. - -The list of people and organizations who receives advanced notification of -security issues is not and will not be made public. This list generally -consists of high-profile downstream distributors and is entirely at the -discretion of the ``cryptography`` team. +When we become aware of a security bug in ``cryptography``, we will endeavor to +fix it and issue a release as quickly as possible. We will generally issue a new +release for any security issue. + +The steps for issuing a security release are described in our +:doc:`/doing-a-release` documentation. + .. _`master`: https://github.com/pyca/cryptography |