From: Phil Pennock <pdp@exim.org>
Date: Wed, 19 Jun 2019 19:37:19 +0000 (-0400)
Subject: Add a security page in a place where GitHub will detect it
X-Git-Tag: exim-4.93-RC0~157
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/3ff0668bf4565e7f8ea4b843474ddb49cce46fed

Add a security page in a place where GitHub will detect it
---

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..5580a8cfc
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,30 @@
+# Security Policy
+
+## Supported Versions
+
+We are an open source project with no corporate sponsor and no formal
+"support".  In practice, we support the latest released version and work with
+OS vendors to make it easy for them to backport fixes for their distributed
+packages.  For some security issues, we will issue a patch-release which has
+just a simple fix.
+
+We also often have `exim_VERSION+fixes` branches with small things which we
+recommend that vendors use.
+
+For postmasters installing Exim manually, we recommend always using the latest
+released tarball.
+
+## Reporting a Vulnerability
+
+Our security page is at <https://wiki.exim.org/EximSecurity>.
+It contains the current contact point and list of PGP keys to use for
+encrypting particularly sensitive information.
+This also links to our documentation and the chapter on security
+considerations.
+
+Our security release process is at
+<https://wiki.exim.org/SecurityReleaseProcess>.
+This covers what we do in handling vulnerability reports.
+
+We have no bug bounty program of our own; we're far too disparate a group of
+volunteers for such things.