From 0d9b761dbd206b6ba7ca69e6e7cba344a99abcbf Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Mon, 31 Oct 2022 18:15:19 -0400 Subject: [PATCH] GOV: change security reporting to use tidelift --- SECURITY.md | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 8cac0a77d53e..73ec8fdb3a38 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -17,15 +17,12 @@ versions. ## Reporting a Vulnerability -If you have found a security vulnerability, in order to keep it confidential, -please do not report an issue on GitHub. -Please email us details of the vulnerability at matplotlib-steering-council@numfocus.org; -include a description and proof-of-concept that is [short and -self-contained](http://www.sscce.org/). +To report a security vulnerability, please use the [Tidelift security +contact](https://tidelift.com/security). Tidelift will coordinate the fix and +disclosure. -You should expect a response within a week of your email. Depending on the -severity of the issue, this may require some time to draft an immediate bugfix -release. Less severe issues may be held until the next release. +If you have found a security vulnerability, in order to keep it confidential, +please do not report an issue on GitHub. We do not award bounties for security vulnerabilities.