Skip to content

Commit fd464a4

Browse files
Revise SECURITY.md for clarity on security policies
Updated the security policy to clarify supported versions, reporting vulnerabilities, and scope of responsibility.
1 parent 9c41e9c commit fd464a4

1 file changed

Lines changed: 96 additions & 0 deletions

File tree

SECURITY.md

Lines changed: 96 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,96 @@
1+
# Security Policy
2+
3+
## Supported Versions
4+
5+
Six Labors provides security fixes only for the latest major version of each library.
6+
7+
Older major versions are end-of-life and do not receive security fixes.
8+
9+
Users must upgrade to the latest major version to receive security fixes.
10+
11+
| Version | Supported |
12+
| -------------------- | --------- |
13+
| Latest major version | Yes |
14+
| Older major versions | No |
15+
16+
Security fixes, if any, are provided at Six Labors' discretion.
17+
18+
This policy does not create any obligation to provide support, maintenance services, SLAs, custom fixes, hosted services, managed services, operational monitoring, professional services, consulting, or certification of customer products.
19+
20+
## Reporting a Vulnerability
21+
22+
Please report suspected security vulnerabilities using GitHub private vulnerability reporting for the relevant Six Labors repository, where available.
23+
24+
If GitHub private vulnerability reporting is not available for a repository, please report suspected security vulnerabilities by contacting Six Labors through the contact details published on the Six Labors website.
25+
26+
Do not report security vulnerabilities through public GitHub issues.
27+
28+
When reporting a vulnerability, please include as much relevant information as possible:
29+
30+
* affected package and version
31+
* target framework and runtime
32+
* operating system
33+
* input file or minimal reproduction, if safe to share
34+
* expected and actual behavior
35+
* potential security impact
36+
* whether you believe the issue is being actively exploited
37+
38+
Six Labors may review reported vulnerabilities and determine whether they are security issues affecting a supported version.
39+
40+
A report may be declined or closed without action if, in Six Labors' opinion, it:
41+
42+
* is not reproducible
43+
* does not affect a supported version
44+
* affects only an unsupported or end-of-life version
45+
* is not a security vulnerability
46+
* depends on unsafe, unsupported, or unintended use
47+
* depends on a vulnerable application, environment, dependency, configuration, or deployment outside the Six Labors library itself
48+
* lacks sufficient information for assessment
49+
* is duplicative
50+
* has already been fixed
51+
* is otherwise outside the scope of this policy
52+
53+
If a vulnerability is accepted, Six Labors may handle it through GitHub Security Advisories and, where appropriate, CVE assignment.
54+
55+
Six Labors does not guarantee any response time, fix time, release date, advisory publication date, CVE assignment, workaround, mitigation, or particular outcome for any report.
56+
57+
## Scope
58+
59+
This policy applies only to security vulnerabilities in Six Labors libraries themselves.
60+
61+
This policy does not apply to:
62+
63+
* customer applications
64+
* customer products
65+
* customer deployments
66+
* customer infrastructure
67+
* customer data
68+
* third-party services
69+
* unsupported versions
70+
* end-of-life versions
71+
* forks or modified versions
72+
* usage outside the documented or intended behavior of the relevant library
73+
74+
Organizations using Six Labors libraries are responsible for assessing, securing, testing, monitoring, updating, and maintaining their own applications, products, deployments, infrastructure, and supply chains.
75+
76+
## Cyber Resilience Act
77+
78+
Six Labors libraries are general-purpose software libraries.
79+
80+
They are not cybersecurity products, identity or access management systems, password managers, operating systems, browsers, firewalls, network management tools, SIEM tools, hypervisors, container runtimes, or other Cyber Resilience Act important or critical product classes.
81+
82+
If a Six Labors library is treated as a product with digital elements under the Cyber Resilience Act, Six Labors assesses it as an ordinary software component.
83+
84+
Organizations incorporating Six Labors libraries into products made available on the EU market are responsible for assessing and meeting their own regulatory obligations for those products, including any obligations under the Cyber Resilience Act.
85+
86+
Six Labors does not provide support, maintenance services, SLAs, managed services, hosted services, operational monitoring, custom fixes, professional services, consulting, or certification of customer products.
87+
88+
Security vulnerabilities in supported Six Labors libraries are handled through the GitHub Security Advisory process for the relevant repository, where appropriate.
89+
90+
From 11 September 2026, if Six Labors becomes aware of credible active exploitation of a vulnerability in a supported Six Labors library, or a severe security incident affecting a supported Six Labors library, Six Labors may report the matter through the applicable Cyber Resilience Act reporting mechanism where legally required.
91+
92+
## No Warranty
93+
94+
Six Labors libraries are provided in accordance with their applicable license terms.
95+
96+
Nothing in this policy creates any warranty, representation, guarantee, support obligation, maintenance obligation, service commitment, regulatory certification, or assumption of responsibility for any customer product, customer deployment, customer compliance obligation, or third-party system.

0 commit comments

Comments
 (0)