diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 034e848032..7dd5548d87 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -2,20 +2,33 @@ ## Supported Versions -Use this section to tell people about which versions of your project are -currently being supported with security updates. +The RT-Thread project supports the following versions with security updates: -| Version | Supported | -| ------- | ------------------ | -| 5.1.x | :white_check_mark: | -| 5.0.x | :x: | -| 4.0.x | :white_check_mark: | -| < 4.0 | :x: | + - The most recent release, and the release prior to that. + - Active LTS releases. + +At this time, with the latest release of v5.0.0, the supported +versions are: + + - xxx + - xxx ## Reporting a Vulnerability -Use this section to tell people how to report a vulnerability. +Please see [xx](xx) for detail about the security vulnerability reporting process. +Vulnerabilities to the RT-Thread project may be reported via email to the XXX@XXX mailing list. These reports will be acknowledged and analyzed by the security response team within 1 week. Each vulnerability will be entered into the RT-Thread security advisory GitHub. + +To report a security vulnerability, you need to provide at least the following information: + +### Summary +_Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server._ + +### Details +_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._ + +### PoC +_Complete instructions, including specific configuration details, to reproduce the vulnerability._ + +### Impact +_Give all affected versions. What kind of vulnerability is it? Which components are impacted?_ -Tell them where to go, how often they can expect to get an update on a -reported vulnerability, what to expect if the vulnerability is accepted or -declined, etc.