45 lines
1.7 KiB
Markdown
45 lines
1.7 KiB
Markdown
# Security policies
|
|
|
|
## Release security
|
|
|
|
The PCRE2 project provides source-only releases, with no binaries.
|
|
|
|
These source releases can be downloaded from the
|
|
[GitHub Releases](https://github.com/PCRE2Project/pcre2/releases) page. Each
|
|
release file is GPG-signed.
|
|
|
|
* Releases up to and including 10.44 are signed by Philip Hazel (GPG key:
|
|
<kbd>45F68D54BBE23FB3039B46E59766E084FB0F43D8</kbd>)
|
|
* Releases from 10.45 onwards will be signed by Nicholas Wilson (GPG key:
|
|
<kbd>A95536204A3BB489715231282A98E77EB6F24CA8</kbd>, cross-signed by Philip
|
|
Hazel's key for release continuity)
|
|
|
|
From releases 10.45 onwards, the source code will additionally be provided via
|
|
Git checkout of the (GPG-signed) release tag.
|
|
|
|
Please contact the maintainers for any queries about release integrity or the
|
|
project's supply-chain.
|
|
|
|
## Reporting vulnerabilities
|
|
|
|
The PCRE2 project prioritises security. We appreciate third-party testing and
|
|
security research, and would be grateful if you could responsibly disclose your
|
|
findings to us. We will make every effort to acknowledge your contributions.
|
|
|
|
To report a security issue, please use the GitHub Security Advisory
|
|
["Report a Vulnerability"](https://github.com/PCRE2Project/pcre2/security/advisories/new)
|
|
tab. (Alternatively, if you prefer you may send a GPG-encrypted email to one of
|
|
the maintainers.)
|
|
|
|
### Timeline
|
|
|
|
As a very small volunteer team, we cannot guarantee rapid response, but would
|
|
aim to respond within 1 week, or perhaps 2 during holidays.
|
|
|
|
### Response procedure
|
|
|
|
PCRE2 has never previously made a rapid or embargoed release in response to a
|
|
security incident. We would work with security managers from trusted downstream
|
|
distributors, such as major Linux distributions, before disclosing the
|
|
vulnerability publicly.
|