[nginx] Branch created: security
noreply at nginx.com
noreply at nginx.com
Wed Oct 16 16:28:02 UTC 2024
details: https://github.com/nginx/nginx/commit/f9f2854043529262f84eacf0931f95f66cf930e8
branches: security
commit: f9f2854043529262f84eacf0931f95f66cf930e8
user: Sergey Kandaurov <pluknet at nginx.com>
date: Wed, 16 Oct 2024 20:22:52 +0400
description:
Update SECURITY.md.
Removed unrelated rewraps, minor editorial.
No content changes.
---
SECURITY.md | 27 ++++++++++++++-------------
1 file changed, 14 insertions(+), 13 deletions(-)
diff --git a/SECURITY.md b/SECURITY.md
index f4112303e..2479ca70e 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -6,25 +6,27 @@ implications of configurations and misconfigurations.
## Reporting a Vulnerability
-Please report any vulnerabilities via one of the following methods (in order of
-preference):
+Please report any vulnerabilities via one of the following methods
+(in order of preference):
-1. [Report a vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) within this
-repository. We are using the GitHub workflow that allows us to manage
-vulnerabilities in a private manner and interact with reporters securely.
+1. [Report a vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability)
+within this repository. We are using the GitHub workflow that allows us to
+manage vulnerabilities in a private manner and interact with reporters
+securely.
2. [Report directly to F5](https://www.f5.com/services/support/report-a-vulnerability).
-3. Report via email to security-alert at nginx.org. This method will be deprecated
-in the future.
+3. Report via email to security-alert at nginx.org.
+This method will be deprecated in the future.
### Vulnerability Disclosure and Fix Process
The nginx community requests that all suspected vulnerabilities be reported
-privately via the [Reporting a Vulnerability](SECURITY.md#reporting-a-vulnerability) guidelines.
+privately via the
+[Reporting a Vulnerability](SECURITY.md#reporting-a-vulnerability) guidelines.
If a publicly released vulnerability is reported, we
-may request to handle it according to the private disclosure process. If the
-reporter agrees, we will follow the private disclosure process.
+may request to handle it according to the private disclosure process.
+If the reporter agrees, we will follow the private disclosure process.
Security fixes will be applied to all supported stable releases, as well as the
mainline version, as applicable. We recommend using the most recent mainline or
@@ -45,7 +47,6 @@ private until made public. As nginx is supported by F5, we generally follow the
disclosure. If an extension is needed, we will work with the disclosing person.
- Publicly disclosed (i.e., Zero-Day vulnerabilities) will be addressed ASAP.
-
## Confidentiality, Integrity, and Availability
### Confidentiality and Integrity
@@ -97,6 +98,6 @@ recommended configurations to mitigate risks.
## Debug Logging and Core Files
Debug logs and core files produced by nginx may contain un-sanitized data,
-including sensitive information like client requests, server configurations, and
-private key material. These artifacts must be handled carefully to avoid
+including sensitive information like client requests, server configurations,
+and private key material. These artifacts must be handled carefully to avoid
exposing confidential data.
More information about the nginx-devel
mailing list