From 6c4e0f257f3528c1a4937b57b680a94208b6cbf2 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Tue, 14 Jul 2026 19:29:14 +0200 Subject: [PATCH] Create SECURITY.md --- SECURITY.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..e3dea7d --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,28 @@ +# Security Policy + +## Reporting a Vulnerability + +This project takes security seriously —this is meant literally —not like some companies claim after a breach or other security incident. + +The attack surface of testssl.sh is quite small and thus there should not be any serious blunders. We followed recommeded patterns, e.g. like validate inputs and a lot more. + +However this project was made by humans and despite our dedication there could be still security bugs. If you find one and the impact is not low, please use [Responsible +Disclosure](https://en.wikipedia.org/wiki/Full_disclosure_(computer_security)#Coordinated_vulnerability_disclosure), see +[github docs](https://docs.github.com/en/enterprise-cloud@latest/code-security/how-tos/report-and-fix-vulnerabilities/report-privately) and report them *privately* . If you happen +to have a PoC, it will be much appreciated but it is not mandatory. Using [Full Disclosure](https://en.wikipedia.org/wiki/Full_disclosure_(computer_security)#Full_disclosure) might be a problem for the people setting up a website using testssl.sh as a scanner or users. +Also keep in mind that the maintainers here have a professional attitude but this project, it is a spare time project. + + +## Supported Versions + +As said in the Readme.md we only support n-1 versions , n being the branch/minor version: + +| Branches | Supported | +| -------- | ------------------ | +| 3.3dev | :white_check_mark: | +| 3.2.x | :white_check_mark: | +| 3.0.x | :x: | +| <=2.9.5 | :x: | + +For x (patch version) we expect your report to refer to the latest release. For the rolling release version (*dev) please refer to the latest and greatest @ github. +