+## Dealing with security vulnerability reports++This information is intended for package authors who have packages listed on the [SSWG's package index](https://swift.org/server/#projects). If instead you found (or have heard of) a security vulnerability you'd like to report, please have a look over [here](contributor-found-vulnerability.md).++---++The discovery of a security vulnerability in your code can be daunting, but it is part of the life of any software developer. So first of all, don't stress. If you need any help at any step of the way, please feel free to contact any of the SSWG members or the group as a whole at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org).++Here is a step-by-step guide on what to do with regards to the SSWG:++1. The SSWG is only a secondary point of contact which can broadcast information about vulnerabilities. The best way to start is to start addressing the vulnerability according to the security process of your own package.+2. As soon as you can -- but within 10 calendar days of discovering / receiving notification about the vulnerability -- please notify the SSWG about the vulnerability at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org). The SSWG will not disclose any information about this vulnerability and the emails can only be seen by the SSWG members listed on [swift.org/server](https://swift.org/server/) as well as the [Swift Core team](https://swift.org/community/#community-structure). If you prefer to share the vulnerability only with a smaller group, please feel free to reach out to any of the SSWG members individually.+3. After fixing the vulnerability, please promptly (within three days of releasing the fixed version) create a new Swift Forums post in the [Server > Security Updates](https://forums.swift.org/c/server/security-updates/50) category, linking to your own security advisory. The security advisory should contain at least which versions of what software are affected and how to update to an unaffected version.++From [_graduated_](https://github.com/swift-server/sswg/blob/master/process/incubation.md#process-diagram) projects the SSWG typically expects that the whole process -- from the initial report/discovery to fixing and publishing the vulnerability -- is completed within 30 days. We do however acknowledge that certain types of vulnerabilities are either very complicated to address or a part of a "coordinated disclosure" which means that 30 days may not be enough. That is absolutely understandable, please however make sure to inform the SSWG (at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org)) about your anticipated timelines and any significant divergence from the plan.++A package maintainer's failure to report or address vulnerabilities may result in the SSWG publishing a security advisory, and could lead to retracting the project's status and listing it under the non-recommended projects list. In some cases, the SSWG may choose to find a technical contributor that can help resolve the security issues to minimize the impact. SSWG actions will be decided on a case by case basis and require a supermajority vote.++Project authors are also encouraged to make use of their source control system security features (for example: [GitHub's "Security Advisories"](https://docs.github.com/en/github/managing-security-vulnerabilities/about-github-security-advisories) and [GitLab's "Confidential Issues"](https://docs.gitlab.com/ee/user/project/issues/confidential_issues.html)) to manage the vulnerabilities and inform their users.

+## SSWG security requirements for packages on the index++This information is intended for package authors who have packages listed on the SSWG's package index or are looking into pitching/proposing their package to be listed. If instead you found (or have heard of) a security vulnerability you’d like to report, please have a look over [here](contributor-found-vulnerability.md).++---++Packages that are listed on the [SSWG's package index](https://swift.org/server/#projects) are required to follow the following guidelines around security.++Where security vulnerabilities are involved, it is key to ensure that somebody who discovers a vulnerability in your package can immediately find information on how to report it. As the package author, you know best where to put important information about your software. In general, it is typically the `README.md` file in the root of your repository on GitHub/GitLab/etc. The phrase "main information page" is used elsewhere in this document to refer to the `README.md` or other resource as appropriate for your project.++The key requirements are:

+## SSWG security requirements for packages on the index++This information is intended for package authors who have packages incubated by the SSWG and listed on the package index or are looking into pitching/proposing their package to be listed. If instead you found (or have heard of) a security vulnerability you’d like to report, please have a look over [here](contributor-found-vulnerability.md).++---++Packages that are incubated by the SSWG and are listed on the [SSWG's package index](https://swift.org/server/#projects) are required to follow the following guidelines around security.++Where security vulnerabilities are involved, it is key to ensure that somebody who discovers a vulnerability in your package can quickly find information on how to report it. As the package author, you know best where to put important information about your software. Bear in mind that many of your users will see your repository's readme file (usually `README.md`) first. So make sure to link to your security policy from there.++A file named `SECURITY.md` in the root of your repository is the recommended place to put your full security policy. It is also worth noting that some vendors (like GitHub) automatically discover and promote `SECURITY.md` which make the relevant information even easier to find for your users.

+## SSWG security requirements for packages on the index++This information is intended for package authors who have packages listed on the SSWG's package index or are looking into pitching/proposing their package to be listed. If instead you found (or have heard of) a security vulnerability you’d like to report, please have a look over [here](contributor-found-vulnerability.md).++---++Packages that are listed on the [SSWG's package index](https://swift.org/server/#projects) are required to follow the following guidelines around security.++Where security vulnerabilities are involved, it is key to ensure that somebody who discovers a vulnerability in your package can immediately find information on how to report it. As the package author, you know best where to put important information about your software. In general, it is typically the `README.md` file in the root of your repository on GitHub/GitLab/etc. The phrase "main information page" is used elsewhere in this document to refer to the `README.md` or other resource as appropriate for your project.

+## Dealing with security vulnerability reports++This information is intended for package authors who have packages listed on the [SSWG's package index](https://swift.org/server/#projects). If instead you found (or have heard of) a security vulnerability you'd like to report, please have a look over [here](contributor-found-vulnerability.md).++---++The discovery of a security vulnerability in your code can be daunting, but it is part of the life of any software developer. So first of all, don't stress. If you need any help at any step of the way, please feel free to contact any of the SSWG members or the group as a whole at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org).++Here is a step-by-step guide on what to do with regards to the SSWG:++1. The SSWG is only a secondary point of contact which can broadcast information about vulnerabilities. The best way to start is to start addressing the vulnerability according to the security process of your own package.+2. As soon as you can -- but within 10 calendar days of discovering / receiving notification about the vulnerability -- please notify the SSWG about the vulnerability at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org). The SSWG will not disclose any information about this vulnerability and the emails can only be seen by the SSWG members listed on [swift.org/server](https://swift.org/server/) as well as the [Swift Core team](https://swift.org/community/#community-structure). If you prefer to share the vulnerability only with a smaller group, please feel free to reach out to any of the SSWG members individually.+3. After fixing the vulnerability, please promptly (within three days of releasing the fixed version) create a new Swift Forums post in the [Server > Security Updates](https://forums.swift.org/c/server/security-updates/50) category, linking to your own security advisory. The security advisory should contain at least which versions of what software are affected and how to update to an unaffected version.++From [_graduated_](https://github.com/swift-server/sswg/blob/master/process/incubation.md#process-diagram) projects the SSWG typically expects that the whole process -- from the initial report/discovery to fixing and publishing the vulnerability -- is completed within 30 days. We do however acknowledge that certain types of vulnerabilities are either very complicated to address or a part of a "coordinated disclosure" which means that 30 days may not be enough. That is absolutely understandable, please however make sure to inform the SSWG (at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org)) about your anticipated timelines and any significant divergence from the plan.++A package maintainer's failure to report or address vulnerabilities may result in the SSWG publishing a security advisory, and could lead to retracting the project's status and listing it under the non-recommended projects list. In some cases, the SSWG may choose to find a technical contributor that can help resolve the security issues to minimize the impact. SSWG actions will be decided on a case by case basis and require a supermajority vote.++Project authors are also encouraged to make use of their source control system security features (for example: [GitHub's "Security Advisories"](https://docs.github.com/en/github/managing-security-vulnerabilities/about-github-security-advisories) and [GitLab's "Confidential Issues"](https://docs.gitlab.com/ee/user/project/issues/confidential_issues.html)) to manage the vulnerabilities and inform their users.

+# Security++Security is at the heart of a healthy and dependable software ecosystem, and therefore also at the heart of the SSWG. The documents linked from this page are intended to provide clear and simple guidance for both users and developers of packages listed in the SSWG's package index.++## Available information++The information we have is split into different scenarios, depending on why you are here. Each piece of information is supposed to be self-contained, so please select the most appropriate one. If the reason you are here is not covered, please get in touch with the [SSWG on the forums](https://forums.swift.org/c/server/serverdev/14). If you're just curious, feel free to read it all at once 😊.

+# Security++Security is at the heart of a healthy and dependable software ecosystem, and therefore also at the heart of the SSWG. The documents linked from this page are intended to provide clear and simple guidance for both users and developers of packages listed in the SSWG's package index.++## Available information++The information we have is split into different scenarios, depending on why you are here. Each piece of information is supposed to be self-contained, so please select the most appropriate one. If the reason you are here is not covered, please get in touch with the [SSWG on the forums](https://forums.swift.org/c/server/serverdev/14). If you're just curious, feel free to read it all at once 😊.

 Changes to the Swift Server Ecosystem index page will be announced by the SSWG u * Include list of adopters for at least the primary repo ideally laid out in an ADOPTERS.md files or logos on the project website * Optionally, have a [Developer Certificate of Origin](https://developercertificate.org) or a [Contributor License Agreement](https://en.wikipedia.org/wiki/Contributor_License_Agreement) -## Security Best Practices+## Security -Project authors that discover, or have been advised of vulnerabilities in their projects must report them to the SSWG within 10d. Graduated projects are expected to address vulnerabilities within 30d. Reports should be sent to the SSWG using [Swift forums](https://forums.swift.org/c/server/security-updates).--Failure to report or address vulnerabilities may result in the SSWG publishing a security advisory, and could lead to retracting the project's status and listing it under the non-recommended projects list. In some cases, the SSWG may choose to find a technical contributor that can help resolve the security issues to minimize the impact. SSWG actions will be decided on a case by case basis and require a supermajority vote.--The SSWG will publicly share a list of vulnerabilities and fixes on [Swift forums](https://forums.swift.org/c/server/security-updates) to inform the Swift Server user community. Members are encouraged to subscribe to notifications and adopt fixes as soon as possible.--Project authors are also encouraged to make use of their source control system security features (for example: Github's "Security Advisories" and Gitlab's "Confidential Issues") to manage the vulnerabilities and inform their users.+Please follow the guidance laid out in the [Security](security.md) document.

 Changes to the Swift Server Ecosystem index page will be announced by the SSWG u * Include list of adopters for at least the primary repo ideally laid out in an ADOPTERS.md files or logos on the project website * Optionally, have a [Developer Certificate of Origin](https://developercertificate.org) or a [Contributor License Agreement](https://en.wikipedia.org/wiki/Contributor_License_Agreement) -## Security Best Practices+## Security -Project authors that discover, or have been advised of vulnerabilities in their projects must report them to the SSWG within 10d. Graduated projects are expected to address vulnerabilities within 30d. Reports should be sent to the SSWG using [Swift forums](https://forums.swift.org/c/server/security-updates).--Failure to report or address vulnerabilities may result in the SSWG publishing a security advisory, and could lead to retracting the project's status and listing it under the non-recommended projects list. In some cases, the SSWG may choose to find a technical contributor that can help resolve the security issues to minimize the impact. SSWG actions will be decided on a case by case basis and require a supermajority vote.--The SSWG will publicly share a list of vulnerabilities and fixes on [Swift forums](https://forums.swift.org/c/server/security-updates) to inform the Swift Server user community. Members are encouraged to subscribe to notifications and adopt fixes as soon as possible.--Project authors are also encouraged to make use of their source control system security features (for example: Github's "Security Advisories" and Gitlab's "Confidential Issues") to manage the vulnerabilities and inform their users.+Please follow the guidance laid out in the [Security](security.md) document.

+## SSWG security requirements for packages on the index++This information is intended for package authors who have packages listed on the SSWG's package index or are looking into pitching/proposing their package to be listed. If instead you found (or have heard of) a security vulnerability you’d like to report, please have a look over [here](contributor-found-vulnerability.md).++---++Packages that are listed on the [SSWG's package index](https://swift.org/server/#projects) are required to follow the following guidelines around security.

+## SSWG security requirements for packages on the index++This information is intended for package authors who have packages listed on the SSWG's package index or are looking into pitching/proposing their package to be listed. If instead you found (or have heard of) a security vulnerability you’d like to report, please have a look over [here](contributor-found-vulnerability.md).

+## Dealing with security vulnerability reports++This information is intended for package authors who have packages listed on the [SSWG's package index](https://swift.org/server/#projects). If instead you found (or have heard of) a security vulnerability you'd like to report, please have a look over [here](contributor-found-vulnerability.md).++---++The discovery of a security vulnerability in your code can be daunting, but it is part of the life of any software developer. So first of all, don't stress. If you need any help at any step of the way, please feel free to contact any of the SSWG members or the group as a whole at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org).++Here is a step-by-step guide on what to do with regards to the SSWG:++1. The SSWG is only a secondary point of contact which can broadcast information about vulnerabilities. The best way to start is to start addressing the vulnerability according to the security process of your own package.+2. As soon as you can -- but within 10 calendar days of discovering / receiving notification about the vulnerability -- please notify the SSWG about the vulnerability at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org). The SSWG will not disclose any information about this vulnerability and the emails can only be seen by the SSWG members listed on [swift.org/server](https://swift.org/server/) as well as the [Swift Core team](https://swift.org/community/#community-structure). If you prefer to share the vulnerability only with a smaller group, please feel free to reach out to any of the SSWG members individually.+3. After fixing the vulnerability, please promptly (within three days of releasing the fixed version) create a new Swift Forums post in the [Server > Security Updates](https://forums.swift.org/c/server/security-updates/50) category, linking to your own security advisory. The security advisory should contain at least which versions of what software are affected and how to update to an unaffected version.++From [_graduated_](https://github.com/swift-server/sswg/blob/master/process/incubation.md#process-diagram) projects the SSWG typically expects that the whole process -- from the initial report/discovery to fixing and publishing the vulnerability -- is completed within 30 days. We do however acknowledge that certain types of vulnerabilities are either very complicated to address or a part of a "coordinated disclosure" which means that 30 days may not be enough. That is absolutely understandable, please however make sure to inform the SSWG (at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org)) about your anticipated timelines and any significant divergence from the plan.++A package maintainer's failure to report or address vulnerabilities may result in the SSWG publishing a security advisory, and could lead to retracting the project's status and listing it under the non-recommended projects list. In some cases, the SSWG may choose to find a technical contributor that can help resolve the security issues to minimize the impact. SSWG actions will be decided on a case by case basis and require a supermajority vote.

+## Dealing with security vulnerability reports++This information is intended for package authors who have packages listed on the [SSWG's package index](https://swift.org/server/#projects). If instead you found (or have heard of) a security vulnerability you'd like to report, please have a look over [here](contributor-found-vulnerability.md).++---++The discovery of a security vulnerability in your code can be daunting, but it is part of the life of any software developer. So first of all, don't stress. If you need any help at any step of the way, please feel free to contact any of the SSWG members or the group as a whole at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org).++Here is a step-by-step guide on what to do with regards to the SSWG:++1. The SSWG is only a secondary point of contact which can broadcast information about vulnerabilities. The best way to start is to start addressing the vulnerability according to the security process of your own package.+2. As soon as you can -- but within 10 calendar days of discovering / receiving notification about the vulnerability -- please notify the SSWG about the vulnerability at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org). The SSWG will not disclose any information about this vulnerability and the emails can only be seen by the SSWG members listed on [swift.org/server](https://swift.org/server/) as well as the [Swift Core team](https://swift.org/community/#community-structure). If you prefer to share the vulnerability only with a smaller group, please feel free to reach out to any of the SSWG members individually.+3. After fixing the vulnerability, please promptly (within three days of releasing the fixed version) create a new Swift Forums post in the [Server > Security Updates](https://forums.swift.org/c/server/security-updates/50) category, linking to your own security advisory. The security advisory should contain at least which versions of what software are affected and how to update to an unaffected version.++From [_graduated_](https://github.com/swift-server/sswg/blob/master/process/incubation.md#process-diagram) projects the SSWG typically expects that the whole process -- from the initial report/discovery to fixing and publishing the vulnerability -- is completed within 30 days. We do however acknowledge that certain types of vulnerabilities are either very complicated to address or a part of a "coordinated disclosure" which means that 30 days may not be enough. That is absolutely understandable, please however make sure to inform the SSWG (at [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org)) about your anticipated timelines and any significant divergence from the plan.