From 24515af1446350225c5d55b28ff37d801d265dfb Mon Sep 17 00:00:00 2001 From: jrfnl Date: Fri, 19 May 2023 04:40:46 +0200 Subject: [PATCH] Add `security.md` file ... containing information about how to report security issues and what versions of PHP_CodeSniffer are supported from a security point of view. The file is placed in the `.github` directory. This will allow for it to be recognized correctly by GitHub, while not cluttering up the project root directory. Ref: https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository --- .github/SECURITY.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .github/SECURITY.md diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 0000000000..a3c5cbbbab --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,22 @@ +# Security Policy + +## Supported Versions + +The latest patch version of the `3.x` release series is supported for security updates. + +## Reporting a Vulnerability + +PHP_CodeSniffer is a developer tool and should generally not be used in a production (web accessible) environment. + +Having said that, responsible disclosure of security issues is highly appreciated. + +**Please do not report or discuss security vulnerabilities through public GitHub issues, discussions, or pull requests.** + +Issues can be reported privately to the maintainers by opening a [Security vulnerability report](https://github.com/squizlabs/PHP_CodeSniffer/security/advisories/new). + +### Preferences + +* Please provide detailed reports with reproducible steps and a clearly defined impact. +* Include the version number of the vulnerable package in your report. +* Fixes are most welcome. + A private PR can be created from the security report to work on and discuss the patch.