Merge pull request #1365 from urfave/security-policy-doc

Add a security policy document
urfave · May 22, 2022 · 939ab7f · 939ab7f
2 parents 60a6bf5 + 32be625
commit 939ab7f
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 5 deletions.
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
@@ -55,11 +55,12 @@ further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting Dan Buch at dan@meatballhat.com. All complaints will be
-reviewed and investigated and will result in a response that is deemed necessary
-and appropriate to the circumstances. The project team is obligated to maintain
-confidentiality with regard to the reporter of an incident.  Further details of
-specific enforcement policies may be posted separately.
+reported by contacting urfave-governance@googlegroups.com, a members-only group
+that is world-postable. All complaints will be reviewed and investigated and
+will result in a response that is deemed necessary and appropriate to the
+circumstances. The project team is obligated to maintain confidentiality with
+regard to the reporter of an incident. Further details of specific enforcement
+policies may be posted separately.
 
 Project maintainers who do not follow or enforce the Code of Conduct in good
 faith may face temporary or permanent repercussions as determined by other

diff --git a/docs/SECURITY.md b/docs/SECURITY.md
@@ -0,0 +1,27 @@
+# Security Policy
+
+Hello and thank you for your interest in the `urfave/cli` security
+policy! :tada: :lock:
+
+## Supported Versions
+
+| Version      | Supported                             |
+| ------------ | ------------------------------------- |
+| `>= v2.3.x`  | :white_check_mark:                    |
+| `< v2.3`     | :x:                                   |
+| `>= v1.22.x` | :white_check_mark: :lady_beetle: [^1] |
+| `< v1.22`    | :x:                                   |
+
+## Reporting a Vulnerability
+
+Please disclose any vulnerabilities by sending an email to:
+
+[urfave-security@googlegroups.com](mailto:urfave-security@googlegroups.com)
+
+You should expect a response within 48 hours and further
+communications to be decided via email. The `urfave/cli` maintainer
+team comprises volunteers who contribute when possible, so please
+have patience :bow:
+
+[^1]: The `v1.22.x` series will receive bug fixes and security
+  patches only.