From 7961023f8c912afa5870fe467e96bd0cd0bc4b32 Mon Sep 17 00:00:00 2001 From: CanbiZ <47820557+MickLesk@users.noreply.github.com> Date: Wed, 17 Sep 2025 17:26:17 +0200 Subject: [PATCH] Improve: SECURITY.md for clarity and detail + Adding PVE9 as supported (#7690) --- SECURITY.md | 54 ++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 47 insertions(+), 7 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index c2ad24e54..7d7db9f43 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,24 +1,64 @@ +# Security Policy + ## Supported Versions -This project currently supports the following versions of Proxmox VE: + +This project currently supports the following versions of Proxmox VE (PVE): | Version | Supported | | ------- | ------------------ | +| 9.0.x | :white_check_mark: | | 8.4.x | :white_check_mark: | | 8.3.x | :white_check_mark: | | 8.2.x | :white_check_mark: | | 8.1.x | :white_check_mark: | -| 8.0.x | Limited support* ❕| +| 8.0.x | Limited support* ❕ | | < 8.0 | :x: | -*Version 8.0.x has limited support. Security updates may not be provided for all issues in this version. +*Version 8.0.x has limited support. Security updates may not be provided for all issues affecting this version. + +--- ## Reporting a Vulnerability -Security vulnerabilities shouldn’t be reported publicly to prevent potential exploitation. Instead, please report any vulnerabilities privately by reaching out directly to us. You can either join our [Discord server](https://discord.gg/jsYVk5JBxq) and send a direct message to a maintainer or contact us via email at contact@community-scripts.org. Be sure to include a detailed description of the vulnerability and the steps to reproduce it. Thank you for helping us keep our project secure! +Security vulnerabilities must not be reported publicly to avoid potential exploitation. +Instead, please report them privately via one of the following channels: -Once a vulnerability has been reported, the project maintainers will review it and acknowledge the report within 7 business days. We will then work to address the vulnerability and provide a fix as soon as possible. Depending on the severity of the issue, a patch may be released immediately or included in the next scheduled update. +- **Discord**: Join our [Discord server](https://discord.gg/jsYVk5JBxq) and send a direct message to a maintainer. +- **Email**: Write to us at **contact@community-scripts.org** with the subject line: + `Vulnerability Report - `. -Please note that not all reported vulnerabilities may be accepted. The project maintainers reserve the right to decline a vulnerability report if it is deemed to be a low-risk issue or if it conflicts with the project's design or architecture. In such cases, we will provide an explanation for the decision. +When reporting a vulnerability, please provide: -If you have any questions or concerns about this security policy, please don't hesitate to contact the project maintainers. +- A clear description of the issue +- Steps to reproduce the vulnerability +- Affected versions or environments +- (Optional) Suggested fixes or workarounds +--- + +## Response Process + +1. **Acknowledgment** + - We will review and acknowledge your report within **7 business days**. + +2. **Assessment** + - The maintainers will verify the issue and classify its severity. + - Depending on impact, a patch may be released immediately or scheduled for the next update. + +3. **Resolution** + - Critical security fixes will be prioritized. + - Non-critical issues may be deferred or declined with an explanation. + +--- + +## Disclaimer + +Not all reported issues will be treated as vulnerabilities. +Reports may be declined if they are deemed: +- Low-risk +- Out of project scope +- Conflicting with intended design or architecture + +--- + +If you have any questions or concerns about this security policy, please reach out to the maintainers through the contact options above.