-
Notifications
You must be signed in to change notification settings - Fork 0
Security practice
Our standard security policy is presented here for convenience. Refer to the SECURITY.md file in each project (or click the "Security" tab from the repository overview page) for details that may supersede those presented here.
Patches for security vulnerabilities will be made available at the earliest opportunity. The versions that are eligible for such patches depend on the CVSS v3.1 severity rating:
| CVSS v3.1 | Supported Versions |
|---|---|
| 9.0-10.0 | Releases within the previous three months |
| 4.0-8.9 | Most recent release |
In the first instance, please report suspected security vulnerabilities using private vulnerability reporting by navigating to the "Security" tab of the repository and clicking "Report a vulnerability". Alternatively, submit your report by email to [email protected]. You should generally expect a response within 48 hours.
All GitHub Actions projects created by fish-shop include an OpenSSF Scorecard workflow that generates a security score to help you decide upon the trust, risk, and security posture for your own use case. The README.md file for each project includes a badge indicating the current security score and the OpenSSF Scorecard Report viewer can be used to gain further insight into the restrictions that each project enforces to ensure a good security footing.
Dependabot is used across all our projects to maintain frequent dependency updates and detect known vulnerabilities.
Have a suggestion for improving this page? Start a discussion about it.