This document sets out the security policy and procedures for the SimpleID project.
Security patches will be provided for the following versions:
- 1.x
If you discover a vulnerability in SimpleID, keep it confidential. Do not disclose the vulnerability to anyone before the advisory is issued.
Provide details of the vulnerability direct to kmo-at-users.sourceforge.net. Do not use the GitHub issue system.
At a minimum, your report should include:
- the version of SimpleID, and your hosting environment
- the steps required to reproduce the problem
- any other information which you think would be useful in diagnosing the problem
If you know how to fix the problem or a temporary workaround, include it in the report.
We will acknowledge your report as soon as we can. We will use reasonable endeavours to keep you informed while we investigate and create a fix. We may ask you for additional information or guidance as part of our investigation.
Some issue take time to correct and the process may involve a review of the code for similar problems.
When a fix is ready, an advisory urging users to upgrade is published. If the vulnerability is discovered for the first time, you will be credited in the advisory.
Report security bugs in third-party modules to the person or team maintaining the module.
If you have suggestions on how this process could be improved please submit a pull request.