mirror of
https://github.com/jquery/jquery.git
synced 2026-01-10 03:58:09 -05:00
35 lines
1.5 KiB
Markdown
35 lines
1.5 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
The [latest released version](https://github.com/jquery/jquery/releases) of jQuery is supported.
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
Please report security issues **privately**:
|
|
|
|
- Email: security@jquery.com
|
|
|
|
**Do not** file public GitHub issues for security problems.
|
|
|
|
When reporting, please include:
|
|
- Affected project/repo and version(s)
|
|
- Impact and component(s) involved
|
|
- Reproduction steps or PoC (if available)
|
|
- Your contact and preferred credit name
|
|
|
|
If you do not receive an acknowledgement of your report within **6 business days**, or if you cannot find a private security contact for the project, you may **escalate to the OpenJS Foundation CNA** at `security@lists.openjsf.org`.
|
|
|
|
If the project acknowledges your report but does not provide any further response or engagement within **14 days**, escalation is also appropriate.
|
|
|
|
## Coordination & Disclosure
|
|
|
|
Important:
|
|
- If the vulnerability is considered valid and accepted, a patch will be made for the latest jQuery version.
|
|
- If the vulnerability is deemed invalid, no further action is required.
|
|
|
|
We follow coordinated vulnerability disclosure:
|
|
- We will acknowledge your report, assess impact, and work on a fix.
|
|
- We aim to provide status updates at reasonable intervals until resolution.
|
|
- We will publish a security advisory (and **CVE via the OpenJS CNA when applicable**) once a fix or mitigation is available. We credit reporters by default unless you request otherwise.
|