mirror of
https://github.com/ZoneMinder/zoneminder.git
synced 2026-06-22 20:50:06 -04:00
115cb270d4
The supported-versions table listed 1.36.x and 1.37.x; 1.37 was the development line that became 1.38 stable and no longer exists. Update to reflect the current series: 1.39.x development, 1.38.x stable, and 1.36.x as a legacy branch that still receives security backports on a best-effort basis. Rewrite the reporting section to direct vulnerabilities to GitHub Private Vulnerability Reporting (now enabled on the repository) as the preferred channel, with email as a fallback, and to stop inviting public issues for suspected vulnerabilities while still welcoming non-sensitive hardening suggestions as issues or pull requests. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1.3 KiB
1.3 KiB
Security Policy
Supported Versions
We do not have the resources to support every old version. ZoneMinder uses Semantic Versioning: even minor versions are stable, odd are development. We support the current stable release series and the current development series; the previous stable series receives security fixes on a best-effort basis.
| Version | Supported |
|---|---|
| 1.39.x (dev) | ✅ |
| 1.38.x (stable) | ✅ |
| 1.36.x (legacy) | ⚠️ best-effort security fixes |
| < 1.36.x | ❌ |
Reporting a Vulnerability
Please report security vulnerabilities privately so we can fix them before they are disclosed publicly. Two options:
- GitHub Private Vulnerability Reporting (preferred) — go to the Security tab and click Report a vulnerability. This opens a private advisory where we can collaborate on a fix and issue a CVE.
- Email — isaac@zoneminder.com.
Please do not open a public GitHub issue for a suspected vulnerability. Non-sensitive hardening suggestions (defense-in-depth with no exploit path) are fine as normal issues or pull requests.
We aim to acknowledge reports within a few days and to coordinate disclosure once a fix is available.