.. _security-policy: ======================================== Security Policy ======================================== Overview ======== This document outlines how the FlightGear project handles security vulnerabilities. All contributors (**especially maintainers**), users, security researchers, and community members are encouraged to review and follow these guidelines. Security Updates and Advisories =============================== - Information about security vulnerabilities are published as CVEs, and can be viewed from any CVE feed. - Official advisories will also be posted on the FlightGear website. Information for Security Researchers ==================================== If you have discovered a security vulnerability in FlightGear, we would like to work with you collaboratively to resolve the issue. Reporting a Vulnerability ------------------------- .. attention:: Please **do not** publicly disclose a vulnerability immediately. Instead, please collaborate with us to **responsibly disclose** the vulnerability, and allow us to time to respond so that we may prepare and distribute a fix to protect our users. To report a vulnerability, please create a **confidential** GitLab issue `here `_. Please include as many details as possible about the vulnerability as you can, such as: - Description of the vulnerability and its impact - Affected FlightGear versions - Steps to reproduce or proof of concept - Any relevant logs or error messages What happens next ~~~~~~~~~~~~~~~~~ After you have submitted a vulnerability, the following steps are taken: - **Investigation**: A member of the FlightGear team will follow-up with you via the GitLab issue, and potentially request additional information. - **Remediation**: We will begin to develop a fix for the vulnerability, creating a new release, and preparing that new release for distribution. In urgent cases, the fix may be backported to older versions of FlightGear. - **Responsible Disclosure**: When a new release containing the fix is available to users, the FlightGear team will file for a CVE through our chosen CNA, GitLab. The CVE **will not** be published until the release is available. Unless you wish to remain anonymous, you will be credited as the individual that discovered the vulnerability. .. admonition:: What if I don't hear back from you? If for some reason you do not hear back from a member of the FlightGear team via the GitLab issue within 90 days, you are encouraged to file for a CVE and publicly disclose the vulnerability, in accordance with responsible disclosure practices.