projects / exim.git / blame
| Commit | Line | Data |
|---|---|---|
| 3ff0668b PP |
1 | # Security Policy |
| 2 | ||
| 3 | ## Supported Versions | |
| 4 | ||
| 5 | We are an open source project with no corporate sponsor and no formal | |
| 6 | "support". In practice, we support the latest released version and work with | |
| 7 | OS vendors to make it easy for them to backport fixes for their distributed | |
| 8 | packages. For some security issues, we will issue a patch-release which has | |
| 9 | just a simple fix. | |
| 10 | ||
| 275dd1de | 11 | We also often have `exim-VERSION+fixes` branches with small things which we |
| 3ff0668b PP |
12 | recommend that vendors use. |
| 13 | ||
| 14 | For postmasters installing Exim manually, we recommend always using the latest | |
| 15 | released tarball. | |
| 16 | ||
| 17 | ## Reporting a Vulnerability | |
| 18 | ||
| 19 | Our security page is at <https://wiki.exim.org/EximSecurity>. | |
| 20 | It contains the current contact point and list of PGP keys to use for | |
| 21 | encrypting particularly sensitive information. | |
| 22 | This also links to our documentation and the chapter on security | |
| 23 | considerations. | |
| 24 | ||
| 25 | Our security release process is at | |
| 26 | <https://wiki.exim.org/SecurityReleaseProcess>. | |
| 27 | This covers what we do in handling vulnerability reports. | |
| 28 | ||
| 29 | We have no bug bounty program of our own; we're far too disparate a group of | |
| 30 | volunteers for such things. |