From e8d823a65340a891693339dd5a5dd53e6732fb61 Mon Sep 17 00:00:00 2001
From: Jade Ellis <jade@ellis.link>
Date: Mon, 26 May 2025 15:01:58 +0100
Subject: [PATCH] docs: Apply feedback on security policy
---
SECURITY.md | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/SECURITY.md b/SECURITY.md
index c5355491..a9aa183e 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -12,16 +12,18 @@ We provide security updates for the following versions of Continuwuity:
| Main branch | ✅ |
| Older releases | ❌ |
+We may backport fixes to the previous release at our discretion, but we don't guarantee this.
+
## Reporting a Vulnerability
### Responsible Disclosure
We appreciate the efforts of security researchers and the community in identifying and reporting vulnerabilities. To ensure that potential vulnerabilities are addressed properly, please follow these guidelines:
-1. **Email the security team** directly at [security@continuwuity.org](mailto:security@continuwuity.org)
-2. Contact members of the team over E2EE private message.
+1. Contact members of the team over E2EE private message.
- [@jade:ellis.link](https://matrix.to/#/@jade:ellis.link)
- [@nex:nexy7574.co.uk](https://matrix.to/#/@nex:nexy7574.co.uk) <!-- ? -->
+2. **Email the security team** directly at [security@continuwuity.org](mailto:security@continuwuity.org). This is not E2EE, so don't include sensitive details.
3. **Do not disclose the vulnerability publicly** until it has been addressed
4. **Provide detailed information** about the vulnerability, including:
- A clear description of the issue
@@ -30,6 +32,8 @@ We appreciate the efforts of security researchers and the community in identifyi
- Any possible mitigations
- Version(s) affected, including specific commits if possible
+If you have any doubts about a potential security vulnerability, contact us via private channels first! We'd prefer that you bother us, instead of having a vulnerability disclosed without a fix.
+
### What to Expect
When you report a security vulnerability: