| 1 | # Security Policy |
| 2 | |
| 3 | ## Supported Versions |
| 4 | |
| 5 | We are an open source project with no corporate sponsor and no formal |
| 6 | "support". In practice, we support the latest released version and work with |
| 7 | OS vendors to make it easy for them to backport fixes for their distributed |
| 8 | packages. For some security issues, we will issue a patch-release which has |
| 9 | just a simple fix. |
| 10 | |
| 11 | We also often have `exim-VERSION+fixes` branches with small things which we |
| 12 | recommend that vendors use. |
| 13 | |
| 14 | For postmasters installing Exim manually, we recommend always using the latest |
| 15 | released tarball. |
| 16 | |
| 17 | ## Reporting a Vulnerability |
| 18 | |
| 19 | Our security page is at <https://wiki.exim.org/EximSecurity>. |
| 20 | It contains the current contact point and list of PGP keys to use for |
| 21 | encrypting particularly sensitive information. |
| 22 | This also links to our documentation and the chapter on security |
| 23 | considerations. |
| 24 | |
| 25 | Our security release process is at |
| 26 | <https://wiki.exim.org/SecurityReleaseProcess>. |
| 27 | This covers what we do in handling vulnerability reports. |
| 28 | |
| 29 | We have no bug bounty program of our own; we're far too disparate a group of |
| 30 | volunteers for such things. |