[PROPOSED 1/2] * SECURITY: New file.
--- SECURITY | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 SECURITY diff --git a/SECURITY b/SECURITY new file mode 100644 index 0000000..40128bc --- /dev/null +++ b/SECURITY @@ -0,0 +1,15 @@ +Please report any sensitive security-related bugs via email to the +tzdb designated coordinators, currently Paul Eggert +<eggert@cs.ucla.edu> and Tim Parenti <tim@timtimeonline.com>. +Put "tzdb security" at the start of your email's subject line. +We prefer communications to be in English. + +You should receive a response within a week. If not, please follow up +via email to make sure we received your original message. + +If we confirm the bug, we plan to notify affected third-party services +or software that we know about, prepare an advisory, commit fixes to +the main development branch as quickly as is practical, and finally +publish the advisory on tz@iana.org. As with all tzdb contributions, +we give credit to security contributors unless they wish to remain +anonymous. -- 2.27.0
--- CONTRIBUTING | 3 +++ NEWS | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/CONTRIBUTING b/CONTRIBUTING index 8488a58..5373354 100644 --- a/CONTRIBUTING +++ b/CONTRIBUTING @@ -26,6 +26,9 @@ to work well. Additions to data should contain commentary citing reliable sources as justification. Citations should use https: URLs if available. +For changes that fix sensitive security-related bugs, please see the +file SECURITY. + Please submit changes against either the latest release in <https://www.iana.org/time-zones> or the main branch of the development repository. The latter is preferred. If you use Git the following diff --git a/NEWS b/NEWS index de7d08c..7314421 100644 --- a/NEWS +++ b/NEWS @@ -26,6 +26,10 @@ Unreleased, experimental changes (Thanks to P Chan, Michael Deckers, Alexander Krivenyshev and Alois Treindl.) + Changes to maintenance procedure + + The new file SECURITY covers how to report security-related bugs. + Changes to code zic now creates each output file or link atomically, -- 2.27.0
participants (1)
-
Paul Eggert