From f98773ec4615a495a4e8b2d8b0028cc8135f9a57 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20Gro=C3=9Fberndt?= <stephan.grossberndt@typo3.org>
Date: Wed, 26 Apr 2023 09:58:42 +0200
Subject: [PATCH] [DOCS] Update SECURITY.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Further improvements, most of them as proposed by Michael Schams

Releases: main
Resolves: #100755
Related: #100747
Related: #100740
Change-Id: I4111a8e1025eb7c2e5e5c3273e320505c153e4ec
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78875
Reviewed-by: Michael Schams <typo3.mschams@2023.schams.net>
Tested-by: Torben Hansen <derhansen@gmail.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Michael Schams <typo3.mschams@2023.schams.net>
Tested-by: Jörg Bösche <typo3@joergboesche.de>
Reviewed-by: Jörg Bösche <typo3@joergboesche.de>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Thomas Hohn <tho@gyldendal.dk>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Torben Hansen <derhansen@gmail.com>
Reviewed-by: Thomas Hohn <tho@gyldendal.dk>
---
 SECURITY.md | 69 +++++++++++++++++++++++++++++++----------------------
 1 file changed, 41 insertions(+), 28 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index a9094fb0bb96..94606b41d7f1 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,9 +2,10 @@
 
 ## Supported Versions
 
-The following matrix shows the versions currently maintained by the
-TYPO3 Community. Sprint releases (versions before 12.4.0 and 11.5.0,
-in their corresponding branches) are neither maintained nor supported.
+The following matrix shows the TYPO3 versions currently maintained by the TYPO3
+community. Sprint releases (versions before 12.4.0 and 11.5.0, in their
+corresponding branches) have reached their end of support and don't receive any
+further bug fixes or security patches.
 
 | Version  | Supported          |
 |----------|--------------------|
@@ -18,40 +19,52 @@ in their corresponding branches) are neither maintained nor supported.
 
 ## Reporting a Vulnerability
 
-Please report possible vulnerabilities to [security@typo3.org](mailto:security@typo3.org)
+Please report vulnerabilities to [security@typo3.org](mailto:security@typo3.org).
+Your report should include the following details:
 
-* Name the affected project (either TYPO3 Core or a TYPO3 extension/plugin)
-* Name the exact version or version range that has been analysed
-* Provide a step-by-step description of how to exploit the potential vulnerability
+* The affected project (either the TYPO3 Core or a TYPO3 extension).
+* The exact version or version range that you analysed.
+* A step-by-step explanation of how to exploit the potential vulnerability.
 
-### Coordinated Disclosure
+You can use the following GPG/PGP key ID to optionally encrypt your messages to
+[security@typo3.org](mailto:security@typo3.org):
 
-The [TYPO3 Security Team](https://typo3.org/community/teams/security) will
-coordinate with core mergers or corresponding extension/plugin maintainers and
-other affected parties. When a security fix is ready, we will package new
-releases and announce the fix to the public using various communication channels like:
+* Key ID: `C05FBE60`
+* Fingerprint: `B41C C3EF 373E 0F5C 7018  7FE9 3BEF BD27 C05F BE60`
+
+You can download the public key from the following sources:
+
+* [typo3.org](https://typo3.org/fileadmin/t3o_common_storage/keys/B41CC3EF373E0F5C70187FE93BEFBD27C05FBE60.asc)
+* [keys.openpgp.org](https://keys.openpgp.org/vks/v1/by-fingerprint/B41CC3EF373E0F5C70187FE93BEFBD27C05FBE60)
+
+## Coordinated Disclosure
+
+> :warning: We urge security researchers not to publish vulnerabilities in issue trackers or
+discuss them publicly (e.g. on Slack or Twitter).
+
+The [TYPO3 Security Team](https://typo3.org/community/teams/security) coordinates
+the process with the TYPO3 core developers, extension maintainers and other
+affected parties. Once a security fix is available, we prepare a new release and
+publish the fixed version. At the same time, we communicate the vulnerability and
+the fix to the public by using various communication channels such as:
 
 * [TYPO3 Security Advisories](https://typo3.org/help/security-advisories)
 * [TYPO3 Security Team on Twitter](https://twitter.com/typo3_security)
 * [#announce channel on Slack](https://typo3.org/community/meet/how-to-use-slack-in-the-typo3-community)
-* [TYPO3 Announce Mailing List](http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce)
-
-The TYPO3 Security Team is taking care of requesting CVE IDs (common vulnerability and exposer identifiers).
-Please do not post or publish vulnerabilities to public issue trackers or discuss them on Slack or Twitter.
+* [TYPO3 Announce Mailing List](https://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-announce)
 
-### Message Encryption
+The TYPO3 Security Team takes care of requesting [CVE IDs](https://www.cve.org/About/Process#CVERecordLifecycle)
+(Common Vulnerabilities and Exposures identifiers).
 
-It is possible to send GPG/PGP encrypted emails to [security@typo3.org](mailto:security@typo3.org) using key id
-`C05FBE60` (complete fingerprint `B41C C3EF 373E 0F5C 7018  7FE9 3BEF BD27 C05F BE60`):
+## TYPO3 Release Dates ("Patchday")
 
-* download [public key file from typo3.org](https://typo3.org/fileadmin/t3o_common_storage/keys/B41CC3EF373E0F5C70187FE93BEFBD27C05FBE60.asc)
-* download [public key file from keys.openpgp.org](https://keys.openpgp.org/vks/v1/by-fingerprint/B41CC3EF373E0F5C70187FE93BEFBD27C05FBE60)
+We aim to publish TYPO3 maintenance releases on Tuesdays as a general rule.
+However, exceptions apply (e.g. public holidays). Release dates of
+[maintenance releases](https://typo3.org/cms/roadmap/maintenance-releases)
+are scheduled in advance. These releases can contain security fixes.
 
-## TYPO3 Release Dates / "Patchday"
+## Further Information
 
-TYPO3 releases (including possible security fixes) are usually published
-on Tuesdays (except on holidays like Christmas or New Year).
-
-The [Maintenance Releases](https://typo3.org/cms/roadmap/maintenance-releases)
-for stable versions have been scheduled in advance - it is very likely that
-security fixes will also be released on these dates.
+* [TYPO3 Security Team](https://typo3.org/community/teams/security)
+* [TYPO3 Security Advisories](https://typo3.org/help/security-advisories)
+* [TYPO3 Security Guidelines](https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/Security/Index.html)
-- 
GitLab