libuv/SECURITY.md

# Security Policy

## Supported Versions

Currently, we are providing security updates for the latest release in the v1.x series:

| Version | Supported          |
| ------- | ------------------ |
| Latest v1.x  | :white_check_mark: |

## Reporting a Vulnerability

If you believe you have found an active security vulnerability in `libuv`, please report it to libuv-security@googlegroups.com. Please report all other issues on the github issue tracker. We have been forced to terminate the ability to use Github's private vulnerability reporting due to a flood of AI-generated report spam, and a lack of sufficient moderation tools to manage the false reports.

This will allow us to assess the risk and make a fix available before we add a bug report to the GitHub repository and issue a Github security advisory and assign a CVE.

Please do:

* Provide as much information as you can about the vulnerability.
* Provide details about your configuration and environment, if applicable.

Please do not:

* Post any information about the vulnerability in public places.
* Attempt to exploit the vulnerability yourself.

We take all security bugs seriously. Thank you for improving the security of `libuv`. We appreciate your efforts and responsible disclosure and will make every effort to acknowledge your contributions.
doc: add very basic Security Policy document (#4290) 2024-01-19 18:09:39 +00:00			`# Security Policy`

			`## Supported Versions`

			`Currently, we are providing security updates for the latest release in the v1.x series:`

			`\| Version \| Supported \|`
			`\| ------- \| ------------------ \|`
			`\| Latest v1.x \| :white_check_mark: \|`

			`## Reporting a Vulnerability`

misc: revise security vulnerability reporting instructions The project has been getting a flood of private vulnerability reports, most of which are invalid, and a few of which should have just been normal bugs. This has essentially been a DoS attack on maintainer time, since we're unable to change them into normal bugs after assessment. We now have a libuv-security@googlegroups.com list instead to help redirect those seeking CVE fame. The hope is to redirect most people to actually use the issue list as it has always been intended to be used. 2026-03-29 13:14:04 +00:00			If you believe you have found an active security vulnerability in `libuv`, please report it to libuv-security@googlegroups.com. Please report all other issues on the github issue tracker. We have been forced to terminate the ability to use Github's private vulnerability reporting due to a flood of AI-generated report spam, and a lack of sufficient moderation tools to manage the false reports.
doc: add very basic Security Policy document (#4290) 2024-01-19 18:09:39 +00:00
misc: revise security vulnerability reporting instructions The project has been getting a flood of private vulnerability reports, most of which are invalid, and a few of which should have just been normal bugs. This has essentially been a DoS attack on maintainer time, since we're unable to change them into normal bugs after assessment. We now have a libuv-security@googlegroups.com list instead to help redirect those seeking CVE fame. The hope is to redirect most people to actually use the issue list as it has always been intended to be used. 2026-03-29 13:14:04 +00:00			`This will allow us to assess the risk and make a fix available before we add a bug report to the GitHub repository and issue a Github security advisory and assign a CVE.`
doc: add very basic Security Policy document (#4290) 2024-01-19 18:09:39 +00:00
			`Please do:`

			`* Provide as much information as you can about the vulnerability.`
			`* Provide details about your configuration and environment, if applicable.`

			`Please do not:`

			`* Post any information about the vulnerability in public places.`
			`* Attempt to exploit the vulnerability yourself.`

misc: revise security vulnerability reporting instructions The project has been getting a flood of private vulnerability reports, most of which are invalid, and a few of which should have just been normal bugs. This has essentially been a DoS attack on maintainer time, since we're unable to change them into normal bugs after assessment. We now have a libuv-security@googlegroups.com list instead to help redirect those seeking CVE fame. The hope is to redirect most people to actually use the issue list as it has always been intended to be used. 2026-03-29 13:14:04 +00:00			We take all security bugs seriously. Thank you for improving the security of `libuv`. We appreciate your efforts and responsible disclosure and will make every effort to acknowledge your contributions.