Re: [PATCH 1/2] SECURITY: describe how to report vulnerabilities

[Denton Liu <liu.denton@gmail.com>]

Hi Dscho,

On Fri, Mar 26, 2021 at 10:12:45PM +0000, Johannes Schindelin via GitGitGadget wrote:
> From: Johannes Schindelin <johannes.schindelin@gmx.de>
> 
> In the same document, describe that Git does not have Long Term Support
> (LTS) release trains, although security fixes are always applied to a
> few of the most recent release trains.
> 
> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
> ---
>  SECURITY.md | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 51 insertions(+)
>  create mode 100644 SECURITY.md
> 
> diff --git a/SECURITY.md b/SECURITY.md
> new file mode 100644
> index 000000000000..282790164e78
> --- /dev/null
> +++ b/SECURITY.md
> @@ -0,0 +1,51 @@
> +# Security Policy
> +
> +## Reporting a vulnerability
> +
> +Please send a detailed mail to git-security@googlegroups.com to
> +report vulnerabilities in Git.
> +
> +Even when unsure whether the bug in question is an exploitable
> +vulnerability, it is recommended to send the report to
> +git-security@googlegroups.com (and obviously not to discuss the
> +issue anywhere else).
> +
> +Vulnerabilities are expected to be discussed _only_ on that
> +list, and not in public, until the official announcement on the
> +Git mailing list on the release date.
> +
> +Examples for details to include:
> +
> +- Ideally a short description (or a script) to demonstrate an
> +  exploit.
> +- The affected platforms and scenarios (the vulnerability might
> +  only affect setups with case-sensitiv file systems, for

Small typo: s/sensitiv/&e/