diff options
| -rw-r--r-- | .github/ISSUE_TEMPLATE/security_issue.md | 14 | ||||
| -rw-r--r-- | README | 4 | ||||
| -rw-r--r-- | SECURITY.md | 21 |
3 files changed, 24 insertions, 15 deletions
diff --git a/.github/ISSUE_TEMPLATE/security_issue.md b/.github/ISSUE_TEMPLATE/security_issue.md deleted file mode 100644 index 44033bc0..00000000 --- a/.github/ISSUE_TEMPLATE/security_issue.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -name: Security issue with lombok -about: Let us know about a security vulnerability in lombok -title: '[DO NOT POST HERE]' -labels: '' -assignees: '' - ---- - -***Please do not report this here!*** - -github issues are public. Please contact us privately so that we can work together to coordinate a fix for the vulnerability together with making the vulnerability public. - -You can inform the [Tidelift security contact](https://tidelift.com/security) or if you prefer, contact the core contributors of Project Lombok directly by emailing `info@projectlombok.org` @@ -7,4 +7,6 @@ Looking for professional support of Project Lombok? Lombok is now part of a tide For a list of all authors, see the AUTHORS file. -For complete project information, see https://projectlombok.org/
\ No newline at end of file +For complete project information, see https://projectlombok.org/ + +You can review our security policy via SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..43745e86 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +#Security Policies and Procedures + +Lombok only runs during compilation and is not required on your servers or in your application's distribution. Nevertheless, the _Project Lombok_ team and community take all security bugs seriously. + +## Reporting a Bug + +To report a security vulnerability, please follow the procedure described in the [Tidelift security policy](https://tidelift.com/docs/security?utm_source=lombok&utm_medium=referral&utm_campaign=github). + +Alternatively, you can send us an email privately via `info@projectlombok.org`. + +## Disclosure Policy + +When we receive a security bug report, it will be assigned a primary handler. This person will coordinate the fix and release process. In case this process requires additional resources beyond the scope of what the core contributors of _Project Lombok_ can reasonably supply, we will inform the Tidelift security team for additional help and coordination. This process will involve the following steps: + +* Inventorize all affected versions along with the platform(s) that lombok runs on which are affected. +* Audit code to find any potential similar problems. +* Prepare fixes for all releases, push these out to all distribution channels including the maven central repo, and put in all due effort to get affected versions marked as affected. + +## Comments on this Policy + +Any comments on this policy or suggestions for improvement can be discussed on [our forum](https://groups.google.com/forum/#!forum/project-lombok), or you can send us an email for any comments or suggestions that contain sensitive information. |