This document explains how mangos-zero issues are handled by the core team.
Reporting a Security Issue¶
If you think that you have found a security issue in mangos-zero, don’t use the bug tracker and do not post it publicly. Instead, all security issues must be sent to theluda [at] getmangos.com. Emails sent to this address are forwarded to the core team members.
For each report, we first try to confirm the vulnerability. When it is confirmed, the team works on a solution following these steps:
- Send an acknowledgement to the reporter;
- Work on a patch;
- Write a security announcement for the official mangos-zero blog
about the vulnerability. This post should contain the following
- a title that always include the “Security release” string;
- a description of the vulnerability;
- the affected versions;
- the possible exploits;
- how to patch/upgrade/workaround affected applications;
- Send the patch and the announcement to the reporter for review;
- Apply the patch to all maintained versions of mangos-zero;
- Publish the post on the official mangos-zero blog;
- Update the security advisory list (see below).
Releases that include security issues should not be done on Saturday or Sunday, except if the vulnerability has been publicly posted.
While we are working on a patch, please do not reveal the issue publicly.