mirror of
https://github.com/osm-search/Nominatim.git
synced 2024-12-02 22:04:09 +03:00
40 lines
1.6 KiB
Markdown
40 lines
1.6 KiB
Markdown
|
# Security Policy
|
||
|
|
||
|
## Supported Versions
|
||
|
|
||
|
All Nominatim releases receive security updates for two years.
|
||
|
|
||
|
The following table lists the end of support for all currently supported
|
||
|
versions.
|
||
|
|
||
|
| Version | End of support for security updates |
|
||
|
| ------- | ----------------------------------- |
|
||
|
| 3.7.x | 2023-04-05 |
|
||
|
| 3.6.x | 2022-12-12 |
|
||
|
| 3.5.x | 2022-06-05 |
|
||
|
| 3.4.x | 2021-10-24 |
|
||
|
|
||
|
## Reporting a Vulnerability
|
||
|
|
||
|
If you believe, you have found an issue in Nominatim that has implications on
|
||
|
security, please send a description of the issue to **security@nominatim.org**.
|
||
|
You will receive an acknowledgement of your mail within 3 work days where we
|
||
|
also notify you of the next steps.
|
||
|
|
||
|
## How we Disclose Security Issues
|
||
|
|
||
|
** The following section only applies to security issues found in released
|
||
|
versions. Issues that concern the master development branch only will be
|
||
|
fixed immediately on the branch with the corresponding PR containing the
|
||
|
description of the nature and severity of the issue. **
|
||
|
|
||
|
Patches for identified security issues are applied to all affected versions and
|
||
|
new minor versions are released. At the same time we release a statement at
|
||
|
the [Nominatim blog](https://nominatim.org/blog/) describing the nature of the
|
||
|
incident. Announcements will also be published at the
|
||
|
[geocoding mailinglist](https://lists.openstreetmap.org/listinfo/geocoding).
|
||
|
|
||
|
## List of Previous Incidents
|
||
|
|
||
|
* 2020-05-04 - [SQL injection issue on /details endpoint](https://lists.openstreetmap.org/pipermail/geocoding/2020-May/002012.html)
|