|
@@ -3,7 +3,8 @@
|
|
|
## Supported Versions
|
|
|
|
|
|
At the moment Oh My Zsh only considers the very latest commit to be supported.
|
|
|
-We combine that with our fast response to incidents, so risk is minimized.
|
|
|
+We combine that with our fast response to incidents and the automated updates
|
|
|
+to minimize the time between vulnerability publication and patch release.
|
|
|
|
|
|
| Version | Supported |
|
|
|
|:-------------- |:------------------ |
|
|
@@ -14,9 +15,10 @@ In the near future we will introduce versioning, so expect this section to chang
|
|
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
|
|
-If you find a vulnerability, email all the maintainers directly at:
|
|
|
+**Do not submit an issue or pull request**: this might reveal the vulnerability.
|
|
|
|
|
|
-- Robby: robby [at] planetargon.com
|
|
|
-- Marc: hello [at] mcornella.com
|
|
|
+Instead, you should email the maintainers directly at: [**security@ohmyz.sh**](mailto:security@ohmyz.sh).
|
|
|
|
|
|
-**Do not open an issue or Pull Request directly**, because it might reveal the vulnerability.
|
|
|
+We will deal with the vulnerability privately and submit a patch as soon as possible.
|
|
|
+
|
|
|
+You can also submit your vulnerability report to [huntr.dev](https://huntr.dev/bounties/disclose/?utm_campaign=ohmyzsh%2Fohmyzsh&utm_medium=social&utm_source=github&target=https%3A%2F%2Fgithub.com%2Fohmyzsh%2Fohmyzsh) and see if you can get a bounty reward.
|