RIOT/SECURITY.md

# RIOT Security Policy

All security bugs reported will be silently fixed in `master` and backported
to the previous release.

## Reporting a Vulnerability

If a security issue is discovered, please report it to security@riot-os.org.
A response will be provided within one week.
The issue will be tracked in the [security mailing list](mailto:security@riot-os.org).
The original reporter will be included in the discussion of the issue.

## Notification of a Vulnerability

After a fix is provided the security issue will be privately disclosed to the
original reporter, RIOT security maintainers, and "Trusted RIOT Users".
A public announcement of the security fix will be made two weeks after the
point release, though this may vary depending on the severity and ability of
trusted RIOT users to provide the fix.

## Trusted RIOT Users

To access the "Trusted RIOT Users" notifications on the
[RIOT forum](https://forum.riot-os.org) please send information
on the RIOT based service or product as well as your
[forum](https://forum.riot-os.org) username to the
[security mailing list](mailto:security@riot-os.org).
Early notification of security bugs will be available and should not be shared
publicly.
If done, it will result in access removal from the "Trusted RIOT Users"
notifications.
SECURITY.md: Add initial security policy RIOT should have a defined policy on how to handle security released bugs. After a small survey of other OSes, this seems to fit best with RIOT. 2020-11-27 13:45:50 +01:00			`# RIOT Security Policy`

			All security bugs reported will be silently fixed in `master` and backported
			`to the previous release.`

			`## Reporting a Vulnerability`

			`If a security issue is discovered, please report it to security@riot-os.org.`
			`A response will be provided within one week.`
SECURITY.md: fix broken email reference 2021-11-03 08:18:26 +01:00			`The issue will be tracked in the [security mailing list](mailto:security@riot-os.org).`
SECURITY.md: Add initial security policy RIOT should have a defined policy on how to handle security released bugs. After a small survey of other OSes, this seems to fit best with RIOT. 2020-11-27 13:45:50 +01:00			`The original reporter will be included in the discussion of the issue.`

			`## Notification of a Vulnerability`

			`After a fix is provided the security issue will be privately disclosed to the`
			`original reporter, RIOT security maintainers, and "Trusted RIOT Users".`
			`A public announcement of the security fix will be made two weeks after the`
			`point release, though this may vary depending on the severity and ability of`
			`trusted RIOT users to provide the fix.`

			`## Trusted RIOT Users`

			`To access the "Trusted RIOT Users" notifications on the`
			`[RIOT forum](https://forum.riot-os.org) please send information`
			`on the RIOT based service or product as well as your`
			`[forum](https://forum.riot-os.org) username to the`
SECURITY.md: fix mailto link 2020-12-10 14:05:21 +01:00			`[security mailing list](mailto:security@riot-os.org).`
SECURITY.md: Add initial security policy RIOT should have a defined policy on how to handle security released bugs. After a small survey of other OSes, this seems to fit best with RIOT. 2020-11-27 13:45:50 +01:00			`Early notification of security bugs will be available and should not be shared`
			`publicly.`
			`If done, it will result in access removal from the "Trusted RIOT Users"`
SECURITY.md: fix mailto link 2020-12-10 14:05:21 +01:00			`notifications.`