-
Notifications
You must be signed in to change notification settings - Fork 332
Security
This page exists to document pump.io's security policies. Since the wiki is publicly editable, you can find this document mirrored in the repository, where there is also a detached GPG signature.
Security disclosures can be sent to pumpsecurity@strugee.net (in the future, this will change to security@pump.io). Please do not use GitHub Issues for serious security problems, as there is no way to make a GitHub issue private. Do not report security vulnerabilities to any other address, otherwise they won't be routed to the right mailbox and the maintainers may not see them.
Should a security problem be discovered, the project will provide patches and new releases for the current stable, the previous stable, and the current beta (if there is one) - this means that the project supports approximately the previous 4 months of releases (see Release cycle for the exact timing). If there were breaking changes within the previous 6 months, security support will be extended back another release (i.e. the release before the previous stable will receive patches, for a total of 3 supported releases).
The pump.io project may commit to longer support windows for particular releases at our discretion, if you ask nicely. In particular we may be willing to do this to support distribution packaging efforts, although currently (as of January 2017) this is unlikely since there is still a lot of work to do bringing dependencies up-to-date.
There are no plans for LTS releases at this time. In the future we would like to introduce such a system; however, at the moment it's untenable due to the large amount of codebase churn.