|
| 1 | +# Security |
| 2 | + |
| 3 | +This document specifies the security process for the AsyncHTTPClient project. |
| 4 | + |
| 5 | +## Disclosures |
| 6 | + |
| 7 | +### Private Disclosure Process |
| 8 | + |
| 9 | +The AsyncHTTPClient maintainers ask that known and suspected vulnerabilities be |
| 10 | +privately and responsibly disclosed by emailing |
| 11 | + |
| 12 | +with the all the required detail. |
| 13 | +**Do not file a public issue.** |
| 14 | + |
| 15 | +#### When to report a vulnerability |
| 16 | + |
| 17 | +* You think you have discovered a potential security vulnerability in |
| 18 | + AsyncHTTPClient. |
| 19 | +* You are unsure how a vulnerability affects AsyncHTTPClient. |
| 20 | + |
| 21 | +#### What happens next? |
| 22 | + |
| 23 | +* A member of the team will acknowledge receipt of the report within 3 |
| 24 | + working days (United States). This may include a request for additional |
| 25 | + information about reproducing the vulnerability. |
| 26 | +* We will privately inform the Swift Server Work Group ([SSWG][sswg]) of the |
| 27 | + vulnerability within 10 days of the report as per their [security |
| 28 | + guidelines][sswg-security]. |
| 29 | +* Once we have identified a fix we may ask you to validate it. We aim to do this |
| 30 | + within 30 days. In some cases this may not be possible, for example when the |
| 31 | + vulnerability exists at the protocol level and the industry must coordinate on |
| 32 | + the disclosure process. |
| 33 | +* If a CVE number is required, one will be requested from [MITRE][mitre] |
| 34 | + providing you with full credit for the discovery. |
| 35 | +* We will decide on a planned release date and let you know when it is. |
| 36 | +* Prior to release, we will inform major dependents that a security-related |
| 37 | + patch is impending. |
| 38 | +* Once the fix has been released we will publish a security advisory on GitHub |
| 39 | + and in the Server → Security Updates category on the [Swift forums][swift-forums-sec]. |
| 40 | + |
| 41 | +[sswg]: https://github.com/swift-server/sswg |
| 42 | +[sswg-security]: https://github.com/swift-server/sswg/blob/main/security/README.md |
| 43 | +[swift-forums-sec]: https://forums.swift.org/c/server/security-updates/ |
| 44 | +[mitre]: https://cveform.mitre.org/ |
0 commit comments