diff --git a/README.md b/README.md index 680382cb0..accfa31ee 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,7 @@ You can join the Portainer Community by visiting [https://www.portainer.io/join- ## Security -- Here at Portainer, we believe in [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) of security issues. If you have found a security issue, please report it to . +For information about reporting security vulnerabilities, please see our [Security Policy](SECURITY.md). ## Work for us diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..0acbdbf55 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,57 @@ +# Security Policy + +## Supported Versions + +Portainer maintains both Short-Term Support (STS) and Long-Term Support (LTS) versions in accordance with our official [Portainer Lifecycle Policy](https://docs.portainer.io/start/lifecycle). + +| Version Type | Support Status | +| --- | --- | +| LTS (Long-Term Support) | Supported for critical security fixes | +| STS (Short-Term Support) | Supported until the next STS or LTS release | +| Legacy / EOL | Not supported | + +For a detailed breakdown of current versions and their specific End of Life (EOL) dates, +please refer to the [Portainer Lifecycle Policy](https://docs.portainer.io/start/lifecycle). + +## Reporting a Vulnerability + +The Portainer team takes the security of our products seriously. If you believe you have found a security vulnerability in any Portainer-owned repository, please report it to us responsibly. + +**Please do not report security vulnerabilities via public GitHub issues.** + +### Disclosure Process + +1. **Report**: Email your findings to security@portainer.io. + +2. **Details**: To help us verify the issue, please include: + + - A description of the vulnerability and its potential impact. + + - Step-by-step instructions to reproduce the issue (e.g. proof-of-concept code, scripts, or screenshots). + + - The version of the software and the environment in which it was found. + +3. **Acknowledge**: We will acknowledge receipt of your report and provide an initial assessment. + +4. **Resolution**: We will work to resolve the issue as quickly as possible. We request that you do not disclose the vulnerability publicly until we have released a fix and notified affected users. + +## Our Commitment + +If you follow the responsible disclosure process, we will: + +- Respond to your report in a timely manner. + +- Provide an estimated timeline for remediation. + +- Notify you when the vulnerability has been patched. + +- Give credit for the discovery (if desired) once the fix is public. + + +We will make every effort to promptly address any security weaknesses. Security advisories and fixes will be published through GitHub Security Advisories and other channels as needed. + +Thank you for helping keep Portainer and our community secure. + +## Resources + +- [Contributing to Portainer](https://docs.portainer.io/contribute/contribute#contributing-to-the-portainer-ce-codebase)