This document outlines security procedures and general policies for the smtprelay project.

The latest release is the only supported release.

The smtprelay maintainers take all security issues in the project seriously. Thank you for improving the security of the project! We appreciate your dedication to responsible disclosure and will make every effort to acknowledge your contributions.

smtprelay leverages GitHub's private vulnerability reporting.

To learn more about this feature and how to submit a vulnerability report, review GitHub's documentation on private reporting.

Here are some helpful details to include in your report:

• a detailed description of the issue
• the steps required to reproduce the issue
• versions of the project that may be affected by the issue
• if known, any mitigations for the issue

A maintainer will acknowledge the report within three (3) business days, and will send a more detailed response within an additional three (3) business days indicating the next steps in handling your report.

After the initial reply to your report, the maintainers will endeavor to keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

When the maintainers receive a disclosure report, they will coordinate the fix and release process, which involves the following steps:

• confirming the issue
• determining affected versions of the project
• auditing code to find any potential similar problems
• preparing fixes for all releases under maintenance

If you have suggestions on how this process could be improved please submit an issue or pull request.