From e7458a09f0e7ebb59b637eacb614cab9b64e133d Mon Sep 17 00:00:00 2001
From: Oliver Hader <oliver@typo3.org>
Date: Mon, 17 Aug 2020 20:35:57 +0200
Subject: [PATCH] [TASK] Add SECURITY.md

Resolves: #92037
Releases: master, 10.4, 9.5
Change-Id: I1278496485ead10a46f82c1d681db1e48a0aac1d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65360
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
---
 SECURITY.md | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000000..2289be22eaf1
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,58 @@
+# Security Policy
+
+## Supported Versions
+
+The following matrix shows the versions that are currently maintained
+by the TYPO3 Community. Sprint releases (versions before 10.4.0 and
+before 9.5.0, in their corresponding branches) are not maintained nor
+supported.
+
+| Version         | Supported          |
+| --------------- | ------------------ |
+|          10.4.x | :white_check_mark: |
+|          10.3.x | :x:                |
+|          10.2.x | :x:                |
+|          10.1.x | :x:                |
+|          10.0.x | :x:                |
+|           9.5.x | :white_check_mark: |
+|         < 9.5.0 | :x:                |
+
+## Reporting a Vulnerability
+
+Please report potential vulnerabilities to [security@typo3.org](mailto:security@typo3.org)
+
+* mention the project that is affected (either TYPO3 core or a TYPO3 extension/plugin)
+* mention the exact version or version range that has been analyzed
+* provide a step-by-step description on how to exploit the potential vulnerability
+
+### Coordinated Disclosure
+
+The TYPO3 Security Team will coordinate with core mergers or corresponding
+extension/plugin maintainers and other affected parties. If a security fix
+is ready, we then will package new releases and announce the fix to the
+public using various communication channels like:
+
+* [TYPO3 Security Advisories](https://typo3.org/help/security-advisories)
+* [TYPO3 Security Team on Twitter](https://twitter.com/typo3_security)
+* [#announce channel on Slack](https://typo3.org/community/meet/how-to-use-slack-in-the-typo3-community)
+* [TYPO3 Announce Mailing List](http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce)
+
+The TYPO3 Security Team is taking care of requesting CVE IDs (common vulnerability and exposer identifiers).
+Please do not post or publish vulnerabilties to public issue trackers or discuss it on Slack or Twitter.
+
+### Message Encryption
+
+It is possible to send GPG/PGP encrypted emails to security@typo3.org using key id
+`C05FBE60` (complete fingerprint `B41CÂ C3EFÂ 373EÂ 0F5CÂ 7018Â Â 7FE9Â 3BEFÂ BD27Â C05FÂ BE60`):
+
+* download [public key file from typo3.org](https://typo3.org/fileadmin/t3o_common_storage/keys/B41CC3EF373E0F5C70187FE93BEFBD27C05FBE60.asc)
+* download [public key file from keys.openpgp.org](https://keys.openpgp.org/vks/v1/by-fingerprint/B41CC3EF373E0F5C70187FE93BEFBD27C05FBE60)
+
+## TYPO3 Release Dates / "Patchday"
+
+TYPO3 releases (including potential security fixes) are usually released
+on Tuesdays (except for holidays like Christmas or New Year's Day).
+
+[Maintenance releases](https://typo3.org/cms/roadmap/maintenance-releases)
+for stable versions have been scheduled in advance - it is very likely that
+security fixes are released during these dates as well.
-- 
GitLab