From ef9a3a63e65481005f88afb50eccfacd2ae7044b Mon Sep 17 00:00:00 2001 From: Rusty Russell Date: Mon, 6 Feb 2023 13:16:49 +1030 Subject: [PATCH] SECURITY.md: Tell them to spam me, and include our GPG fingerprints. Added Alex since he's Release Captain this time. Changelog-Added: SECURITY.md: Where to send sensitive bug reports, and dev GPG fingerprints. Signed-off-by: Rusty Russell --- SECURITY.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000000..a56ee308c423 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,24 @@ +# Security Policy + +## Supported Versions + +We have a 3 month release cycle, and the last two versions are supported. + +## Reporting a Vulnerability + +To report security issues send an email to rusty@rustcorp.com.au, or +security@bockstream.com (not for support). + +## Signatures For Releases + +The following keys may be used to communicate sensitive information to +developers, and to validate signatures on releases: + +| Name | Fingerprint | +|------|-------------| +| Rusty Russell | 15EE 8D6C AB0E 7F0C F999 BFCB D920 0E6C D1AD B8F1 | +| Christian Decker | B731 AAC5 21B0 1385 9313 F674 A26D 6D9F E088 ED58 | +| Lisa Neigut | 30DE 693A E0DE 9E37 B3E7 EB6B BFF0 F678 10C1 EED1 | +| Alex Myers | 0437 4E42 789B BBA9 462E 4767 F3BF 63F2 7474 36AB | + +You can import a key by running the following command with that individual’s fingerprint: `gpg --keyserver hkps://keys.openpgp.org --recv-keys ""` Ensure that you put quotes around fingerprints containing spaces.