summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatt Holt <mholt@users.noreply.github.com>2023-07-08 14:02:09 -0600
committerGitHub <noreply@github.com>2023-07-08 14:02:09 -0600
commit7ceef91295343237f5b81ed00e3ba7e8e594d603 (patch)
tree2b4d0db97614f0cc839932266c459dae970d060d
parent5dec11f2a0e920d5466ff224a0749a667193e3ce (diff)
Minor tweaks to security.md
-rw-r--r--.github/SECURITY.md6
1 files changed, 3 insertions, 3 deletions
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
index 9d1b313..44cc5b7 100644
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@@ -7,7 +7,7 @@ The Caddy project would like to make sure that it stays on top of all practicall
| Version | Supported |
| ------- | ------------------ |
-| 2.x | :white_check_mark: |
+| 2.x | ✔️ |
| 1.x | :x: |
| < 1.x | :x: |
@@ -24,7 +24,7 @@ We do not accept reports if the steps imply or require a compromised system or t
Client-side exploits are out of scope. In other words, it is not a bug in Caddy if the web browser does something unsafe, even if the downloaded content was served by Caddy. (Those kinds of exploits can generally be mitigated by proper configuration of HTTP headers.) As a general rule, the content served by Caddy is not considered in scope because content is configurable by the site owner or the associated web application.
-Security bugs in code dependencies are out of scope. Instead, if a dependency has patched a relevant security bug, please feel free to open a public issue or pull request to update that dependency in our code.
+Security bugs in code dependencies (including Go's standard library) are out of scope. Instead, if a dependency has patched a relevant security bug, please feel free to open a public issue or pull request to update that dependency in our code.
## Reporting a Vulnerability
@@ -42,7 +42,7 @@ We'll need enough information to verify the bug and make a patch. To speed thing
- Specific minimal steps to reproduce the issue from scratch
- A working patch
-Please DO NOT use containers, VMs, cloud instances or services, or any other complex infrastructure in your steps. Always prefer `curl` instead of web browsers.
+Please DO NOT use containers, VMs, cloud instances or services, or any other complex infrastructure in your steps. Always prefer `curl -v` instead of web browsers.
We consider publicly-registered domain names to be public information. This necessary in order to maintain the integrity of certificate transparency, public DNS, and other public trust systems. Do not redact domain names from your reports. The actual content of your domain name affects Caddy's behavior, so we need the exact domain name(s) to reproduce with, or your report will be ignored.