Skip to content

Security: jdamato-fsly/h2o

Security

SECURITY.md

Report a security issue

The h2o project team welcomes security reports and is committed to providing prompt attention to security issues. Security issues should be reported privately via [email protected].

Security advisories

Remediation of security vulnerabilities is prioritized by the project team. The project team endeavors to coordinate remediation with third-party stakeholders, and is committed to transparency in the disclosure process. The h2o team announces security issues via Github Release notes as well as the h2o website on a best-effort basis.

Vulnerability Disclosure Policy

Once the report has been acknowledged by the h2o maintainer team, the timeline window to public disclosure will start.

  • Timeline window to public disclosure is 90 days long.

  • The h2o maintainer team will remediate the vulnerability before the 90 day window closes.

  • There will be a 14-day grace period AFTER the 90 day window, in which the h2o maintainer team can negotiate to make the report publicly available.

    Example: The 90 day due date falls on a holiday for the h2o maintainers. The h2o maintainers can negotiate with the reporter to move the disclosure to 4 days after the 90 day due date.

  • The exact time (in UTC) and date of public disclosure will be agreed upon by the h2o maintainers and the reporter.

There aren’t any published security advisories