From 115cb270d4f0a8fde4a3815f201449e96d82c19b Mon Sep 17 00:00:00 2001 From: SteveGilvarry Date: Sat, 13 Jun 2026 14:29:16 +1000 Subject: [PATCH] docs: update security policy supported versions and reporting channels The supported-versions table listed 1.36.x and 1.37.x; 1.37 was the development line that became 1.38 stable and no longer exists. Update to reflect the current series: 1.39.x development, 1.38.x stable, and 1.36.x as a legacy branch that still receives security backports on a best-effort basis. Rewrite the reporting section to direct vulnerabilities to GitHub Private Vulnerability Reporting (now enabled on the repository) as the preferred channel, with email as a fallback, and to stop inviting public issues for suspected vulnerabilities while still welcoming non-sensitive hardening suggestions as issues or pull requests. Co-Authored-By: Claude Opus 4.8 (1M context) --- SECURITY.md | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index e845bc0ef..da2c3ef20 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,14 +2,32 @@ ## Supported Versions -Time and computers move on. We do not have the resources to support every ancient version of everything (unless you'd like to pay us to do so). We ONLY support the latest stable release and development releases. ZoneMinder uses Semantic Versioning with even minor versions being stable and odd being development. +We do not have the resources to support every old version. ZoneMinder uses +Semantic Versioning: even minor versions are stable, odd are development. We +support the current stable release series and the current development series; +the previous stable series receives security fixes on a best-effort basis. | Version | Supported | | ------- | ------------------ | -| 1.36.x | :white_check_mark: | -| 1.37.x | :white_check_mark: | -| < 1.36.x | :x: | +| 1.39.x (dev) | :white_check_mark: | +| 1.38.x (stable) | :white_check_mark: | +| 1.36.x (legacy) | :warning: best-effort security fixes | +| < 1.36.x | :x: | ## Reporting a Vulnerability -Since sometimes security vulnerabilities can be sensitive, you can just email me at isaac@zoneminder.com. If it's not such a big deal, by all means, create an issue here on GitHub. +Please report security vulnerabilities **privately** so we can fix them before +they are disclosed publicly. Two options: + +1. **GitHub Private Vulnerability Reporting (preferred)** — go to the + [Security tab](https://github.com/ZoneMinder/zoneminder/security/advisories) + and click **Report a vulnerability**. This opens a private advisory where we + can collaborate on a fix and issue a CVE. +2. **Email** — isaac@zoneminder.com. + +Please do **not** open a public GitHub issue for a suspected vulnerability. +Non-sensitive hardening suggestions (defense-in-depth with no exploit path) are +fine as normal issues or pull requests. + +We aim to acknowledge reports within a few days and to coordinate disclosure +once a fix is available.