mirror/zoneminder
1
0
Fork 0
mirror of https://github.com/ZoneMinder/zoneminder.git synced 2026-06-22 20:50:06 -04:00
Code Issues Packages Projects Releases Wiki Activity

docs: update security policy supported versions and reporting channels

Browse Source 
The supported-versions table listed 1.36.x and 1.37.x; 1.37 was the
development line that became 1.38 stable and no longer exists. Update to
reflect the current series: 1.39.x development, 1.38.x stable, and 1.36.x
as a legacy branch that still receives security backports on a best-effort
basis.

Rewrite the reporting section to direct vulnerabilities to GitHub Private
Vulnerability Reporting (now enabled on the repository) as the preferred
channel, with email as a fallback, and to stop inviting public issues for
suspected vulnerabilities while still welcoming non-sensitive hardening
suggestions as issues or pull requests.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
SteveGilvarry
2026-06-13 14:29:16 +10:00
parent 601e52a88a
commit 115cb270d4
1 changed files with 23 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
SECURITY.md
View File

@@ -2,14 +2,32 @@
## Supported Versions
Time and computers move on. We do not have the resources to support every ancient version of everything (unless you'd like to pay us to do so). We ONLY support the latest stable release and development releases. ZoneMinder uses Semantic Versioning with even minor versions being stable and odd being development.
We do not have the resources to support every old version. ZoneMinder uses
Semantic Versioning: even minor versions are stable, odd are development. We
support the current stable release series and the current development series;
the previous stable series receives security fixes on a best-effort basis.
| Version | Supported |
| ------- | ------------------ |
| 1.36.x | :white_check_mark: |
| 1.37.x | :white_check_mark: |
| < 1.36.x | :x: |
| 1.39.x (dev) | :white_check_mark: |
| 1.38.x (stable) | :white_check_mark: |
| 1.36.x (legacy) | :warning: best-effort security fixes |
| < 1.36.x | :x: |
## Reporting a Vulnerability
Since sometimes security vulnerabilities can be sensitive, you can just email me at isaac@zoneminder.com. If it's not such a big deal, by all means, create an issue here on GitHub.
Please report security vulnerabilities **privately** so we can fix them before
they are disclosed publicly. Two options:
1. **GitHub Private Vulnerability Reporting (preferred)** — go to the
[Security tab](https://github.com/ZoneMinder/zoneminder/security/advisories)
and click **Report a vulnerability**. This opens a private advisory where we
can collaborate on a fix and issue a CVE.
2. **Email** — isaac@zoneminder.com.
Please do **not** open a public GitHub issue for a suspected vulnerability.
Non-sensitive hardening suggestions (defense-in-depth with no exploit path) are
fine as normal issues or pull requests.
We aim to acknowledge reports within a few days and to coordinate disclosure
once a fix is available.