From e06dfcf6ed3a8e7b07540751ce4391cb1743337d Mon Sep 17 00:00:00 2001 From: Matt Holt Date: Wed, 4 Mar 2026 16:16:24 -0700 Subject: [PATCH] Update SECURITY.md Simplify what versions are supported, clarify our policy for unreleased code (or beta code), and expand our AI policy to require a disclosure in ALL cases, even if AI is not used. As well as an invitation to share in some chocolate milk with us if you're human. --- .github/SECURITY.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index eb7437269..2b72b95b6 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -1,15 +1,14 @@ # Security Policy -The Caddy project would like to make sure that it stays on top of all practically-exploitable vulnerabilities. +The Caddy project would like to make sure that it stays on top of all relevant and practically-exploitable vulnerabilities. ## Supported Versions -| Version | Supported | -| -------- | ----------| -| 2.latest | ✔️ | -| 1.x | :x: | -| < 1.x | :x: | +| Version | Supported | +| ----------- | ----------| +| 2.latest | ✔️ | +| <= 2.latest | :x: | ## Acceptable Scope @@ -26,6 +25,8 @@ Client-side exploits are out of scope. In other words, it is not a bug in Caddy Security bugs in code dependencies (including Go's standard library) are out of scope. Instead, if a dependency has patched a relevant security bug, please feel free to open a public issue or pull request to update that dependency in our code. +We accept security reports and patches, but do not assign CVEs, for code that has not been released with a non-prerelease tag. + ## Reporting a Vulnerability @@ -33,7 +34,7 @@ We get a lot of difficult reports that turn out to be invalid. Clear, obvious re First please ensure your report falls within the accepted scope of security bugs (above). -**YOU MUST DISCLOSE THE USE OF LLMs ("AI") INVOLVED IN ANY WAY.** Whether you are using AI for discovery, as part of writing the report or its replies, and/or testing or validating proofs and changes, we require you to mention the extent of it. **FAILURE TO INCLUDE A DISCLOSURE MAY LEAD TO IMMEDIATE DISMISSAL OF YOUR REPORT AND POTENTIAL BLOCKLISTING.** +:warning: **YOU MUST DISCLOSE WHETHER YOU USED LLMs ("AI") IN ANY WAY.** Whether you are using AI for discovery, as part of writing the report or its replies, and/or testing or validating proofs and changes, we require you to mention the extent of it. **FAILURE TO INCLUDE A DISCLOSURE EVEN IF YOU DO NOT USE AI MAY LEAD TO IMMEDIATE DISMISSAL OF YOUR REPORT AND POTENTIAL BLOCKLISTING.** We will not waste our time chatting with bots. But if you're a human, pull up a chair and we'll drink some chocolate milk. We'll need enough information to verify the bug and make a patch. To speed things up, please include: