Anonymous User
October 16, 2024 12:30PM
details: https://github.com/nginx/nginx/commit/f9f2854043529262f84eacf0931f95f66cf930e8
branches: security
commit: f9f2854043529262f84eacf0931f95f66cf930e8
user: Sergey Kandaurov <pluknet@nginx.com>
date: Wed, 16 Oct 2024 20:22:52 +0400
description:
Update SECURITY.md.

Removed unrelated rewraps, minor editorial.
No content changes.

---
SECURITY.md | 27 ++++++++++++++-------------
1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index f4112303e..2479ca70e 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -6,25 +6,27 @@ implications of configurations and misconfigurations.

## Reporting a Vulnerability

-Please report any vulnerabilities via one of the following methods (in order of
-preference):
+Please report any vulnerabilities via one of the following methods
+(in order of preference):

-1. [Report a vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) within this
-repository. We are using the GitHub workflow that allows us to manage
-vulnerabilities in a private manner and interact with reporters securely.
+1. [Report a vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability)
+within this repository. We are using the GitHub workflow that allows us to
+manage vulnerabilities in a private manner and interact with reporters
+securely.

2. [Report directly to F5](https://www.f5.com/services/support/report-a-vulnerability).

-3. Report via email to security-alert@nginx.org. This method will be deprecated
-in the future.
+3. Report via email to security-alert@nginx.org.
+This method will be deprecated in the future.

### Vulnerability Disclosure and Fix Process

The nginx community requests that all suspected vulnerabilities be reported
-privately via the [Reporting a Vulnerability](SECURITY.md#reporting-a-vulnerability) guidelines.
+privately via the
+[Reporting a Vulnerability](SECURITY.md#reporting-a-vulnerability) guidelines.
If a publicly released vulnerability is reported, we
-may request to handle it according to the private disclosure process. If the
-reporter agrees, we will follow the private disclosure process.
+may request to handle it according to the private disclosure process.
+If the reporter agrees, we will follow the private disclosure process.

Security fixes will be applied to all supported stable releases, as well as the
mainline version, as applicable. We recommend using the most recent mainline or
@@ -45,7 +47,6 @@ private until made public. As nginx is supported by F5, we generally follow the
disclosure. If an extension is needed, we will work with the disclosing person.
- Publicly disclosed (i.e., Zero-Day vulnerabilities) will be addressed ASAP.

-
## Confidentiality, Integrity, and Availability

### Confidentiality and Integrity
@@ -97,6 +98,6 @@ recommended configurations to mitigate risks.
## Debug Logging and Core Files

Debug logs and core files produced by nginx may contain un-sanitized data,
-including sensitive information like client requests, server configurations, and
-private key material. These artifacts must be handled carefully to avoid
+including sensitive information like client requests, server configurations,
+and private key material. These artifacts must be handled carefully to avoid
exposing confidential data.
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] Branch created: security

Anonymous User 164 October 16, 2024 12:30PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 260
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready