From ce333c9de45b5f38cba11069eabde8abb8554e99 Mon Sep 17 00:00:00 2001 From: Kovid Goyal Date: Sun, 14 Sep 2025 21:13:58 +0530 Subject: [PATCH] Add a note about typical timelines for security incident responses --- SECURITY.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 991247e072..c9313acaf0 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -3,3 +3,10 @@ To report security vulnerabilities, open a normal bug report in the Additionally, you can use GitHub Private security advisories against this repository to report issues. + +Note that I will respond to security communication within 72 hours. Once +the bug is confirmed, it will be fixed or at least mitigated within another 72 +hours, at which time the fix will typically be committed to master and hence be +public. That timeline might be extended based on the severity of the issue and the +current state of master in terms of making a new release, if so, it will be +done in consultation with the issue reporter.