Commit | Line | Data |
---|---|---|
3ff0668b PP |
1 | # Security Policy |
2 | ||
3 | ## Supported Versions | |
4 | ||
5 | We are an open source project with no corporate sponsor and no formal | |
6 | "support". In practice, we support the latest released version and work with | |
7 | OS vendors to make it easy for them to backport fixes for their distributed | |
8 | packages. For some security issues, we will issue a patch-release which has | |
9 | just a simple fix. | |
10 | ||
275dd1de | 11 | We also often have `exim-VERSION+fixes` branches with small things which we |
3ff0668b PP |
12 | recommend that vendors use. |
13 | ||
14 | For postmasters installing Exim manually, we recommend always using the latest | |
15 | released tarball. | |
16 | ||
17 | ## Reporting a Vulnerability | |
18 | ||
19 | Our security page is at <https://wiki.exim.org/EximSecurity>. | |
20 | It contains the current contact point and list of PGP keys to use for | |
21 | encrypting particularly sensitive information. | |
22 | This also links to our documentation and the chapter on security | |
23 | considerations. | |
24 | ||
25 | Our security release process is at | |
26 | <https://wiki.exim.org/SecurityReleaseProcess>. | |
27 | This covers what we do in handling vulnerability reports. | |
28 | ||
29 | We have no bug bounty program of our own; we're far too disparate a group of | |
30 | volunteers for such things. |