Add a note on typical timelines for security incident responses

2025-12-13 20:36:22 +01:00 · 2025-09-14 21:13:32 +05:30
parent aa89e696ae
commit d0ff9be76c
1 changed files with 7 additions and 0 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -9,3 +9,10 @@ and released just like all other bugs.

 Preferably send an email to kovid at kovidgoyal.net or open a private security
 advisory using the GitHub security advisory facility.
+
+Note that I will respond to security communication within 72 hours. Once
+the bug is confirmed, it will be fixed or at least mitigated within another 72
+hours, at which time the fix will typically be committed to master and hence be
+public. That timeline might be extended based on the severity of the issue and the
+current state of master in terms of making a new release, if so, it will be
+done in consultation with the issue reporter.