SECURITY.md

   1 # Security Policy
   2
   3 ## Supported Versions
   4
   5 We are an open source project with no corporate sponsor and no formal
   6 "support".  In practice, we support the latest released version and work with
   7 OS vendors to make it easy for them to backport fixes for their distributed
   8 packages.  For some security issues, we will issue a patch-release which has
   9 just a simple fix.
  10
  11 We also often have `exim-VERSION+fixes` branches with small things which we
  12 recommend that vendors use.
  13
  14 For postmasters installing Exim manually, we recommend always using the latest
  15 released tarball.
  16
  17 ## Reporting a Vulnerability
  18
  19 Our security page is at <https://wiki.exim.org/EximSecurity>.
  20 It contains the current contact point and list of PGP keys to use for
  21 encrypting particularly sensitive information.
  22 This also links to our documentation and the chapter on security
  23 considerations.
  24
  25 Our security release process is at
  26 <https://wiki.exim.org/SecurityReleaseProcess>.
  27 This covers what we do in handling vulnerability reports.
  28
  29 We have no bug bounty program of our own; we're far too disparate a group of
  30 volunteers for such things.