Merge pull request #18537 from matplotlib/security-policy

tacaswell · web-flow · commit 15841b9a7aef · 2020-10-09T15:29:47.000-04:00
GOV: Create security policy
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,31 @@
+# Security Policy
+
+## Supported Versions
+
+The following table lists versions and whether they are supported. Security
+vulnerability reports will be accepted and acted upon for all supported
+versions.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 3.3.x   | :white_check_mark: |
+| 3.2.x   | :white_check_mark: |
+| 3.1.x   | :x:                |
+| 3.0.x   | :x:                |
+| 2.2.x   | :white_check_mark: |
+| < 2.2   | :x:                |
+
+## Reporting a Vulnerability
+
+If you have found a security vulnerability, in order to keep it confidential, 
+please do not report an issue on GitHub.
+
+Please email us details of the vulnerability at matplotlib@numfocus.org; 
+include a description and proof-of-concept that is [short and
+self-contained](http://www.sscce.org/).
+
+You should expect a response within a week of your email. Depending on the 
+severity of the issue, this may require some time to draft an immediate bugfix
+release. Less severe issues may be held until the next release.
+
+We do not award bounties for security vulnerabilities. 
diff --git a/doc/devel/release_guide.rst b/doc/devel/release_guide.rst
@@ -96,6 +96,13 @@ Merge ``*-doc`` branch
 Merge the most recent 'doc' branch (e.g., ``v3.2.0-doc``) into the branch you
 are going to tag on and delete the doc branch on GitHub.
 
+Update supported versions in Security Policy
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+When making major or minor releases, update the supported versions in the
+Security Policy in :file:`SECURITY.md`.  Commonly, this may be one or two
+previous minor releases, but is dependent on release managers.
+
 Update "What's New" and "API changes"
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
