18 lines
1.2 KiB
Markdown
18 lines
1.2 KiB
Markdown
|
# Security Policy
|
||
|
|
|
||
|
|
## Supported Versions
|
||
|
|
|
||
|
|
We follow the [WordPress Core style of versioning](https://make.wordpress.org/core/handbook/about/release-cycle/version-numbering/) rather than traditional [SemVer](https://semver.org/). This means that a move from version 3.9 to 4.0 is no different from a move from version 3.8 to 3.9. When a **PATCH** version is released it represents a bug fix, or non-code, only change.
|
||
|
|
|
||
|
|
The latest version released is the only version that will receive security updates, generally as a **PATCH** release unless a security issue requires a functionality change in which requires a minor/major version bump.
|
||
|
|
|
||
|
|
## Reporting a Vulnerability
|
||
|
|
|
||
|
|
For security reasons, the following are acceptable options for reporting all security issues.
|
||
|
|
|
||
|
|
1. Via Keybase secure message to [timnolte](https://keybase.io/timnolte/chat) or [daggerhart](https://keybase.io/daggerhart/chat).
|
||
|
|
2. Send a DM via the [WordPress Slack](https://make.wordpress.org/chat/) to `tnolte`.
|
||
|
|
3. Via a private [security advisory](https://github.com/oidc-wp/openid-connect-generic/security/advisories) notice.
|
||
|
|
|
||
|
|
Please disclose responsibly and not via public GitHub Issues (which allows for exploiting issues in the wild before the patch is released).
|