aboutsummaryrefslogtreecommitdiff
path: root/SECURITY.md
diff options
context:
space:
mode:
authorReinier Zwitserloot <r.zwitserloot@projectlombok.org>2019-07-02 03:27:43 +0200
committerReinier Zwitserloot <r.zwitserloot@projectlombok.org>2019-07-02 03:30:44 +0200
commit11065b564f3fc1cee2c540a33b7ed1b3774816e2 (patch)
tree369714733741b71ab3903f2175177fcdc72949fb /SECURITY.md
parentbb0736fe006be22ad7d63e51d7f5fc969956255b (diff)
downloadlombok-11065b564f3fc1cee2c540a33b7ed1b3774816e2.tar.gz
lombok-11065b564f3fc1cee2c540a33b7ed1b3774816e2.tar.bz2
lombok-11065b564f3fc1cee2c540a33b7ed1b3774816e2.zip
[build] adding a security policy
Diffstat (limited to 'SECURITY.md')
-rw-r--r--SECURITY.md21
1 files changed, 21 insertions, 0 deletions
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..43745e86
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,21 @@
+#Security Policies and Procedures
+
+Lombok only runs during compilation and is not required on your servers or in your application's distribution. Nevertheless, the _Project Lombok_ team and community take all security bugs seriously.
+
+## Reporting a Bug
+
+To report a security vulnerability, please follow the procedure described in the [Tidelift security policy](https://tidelift.com/docs/security?utm_source=lombok&utm_medium=referral&utm_campaign=github).
+
+Alternatively, you can send us an email privately via `info@projectlombok.org`.
+
+## Disclosure Policy
+
+When we receive a security bug report, it will be assigned a primary handler. This person will coordinate the fix and release process. In case this process requires additional resources beyond the scope of what the core contributors of _Project Lombok_ can reasonably supply, we will inform the Tidelift security team for additional help and coordination. This process will involve the following steps:
+
+* Inventorize all affected versions along with the platform(s) that lombok runs on which are affected.
+* Audit code to find any potential similar problems.
+* Prepare fixes for all releases, push these out to all distribution channels including the maven central repo, and put in all due effort to get affected versions marked as affected.
+
+## Comments on this Policy
+
+Any comments on this policy or suggestions for improvement can be discussed on [our forum](https://groups.google.com/forum/#!forum/project-lombok), or you can send us an email for any comments or suggestions that contain sensitive information.