For the LTEX+ project, the security of its users is its top priority. This document contains information on which versions are supported with security updates and how to report potential security vulnerabilities.
By default, only the most recent published version of LTEX+ is supported with security updates.
If deemed relevant by the maintainers (depending on the severity of the security vulnerability and the need to keep older versions for compatibility), older versions of LTEX+ might also get security updates in exceptional circumstances.
LTEX+ follows Microsoft's definition of security vulnerabilities.
In this document, the term “vulnerability” is synonymous to “security vulnerability.”
Please do not report security vulnerabilities through public GitHub issues.
Please report security vulnerabilities via the Security Advisory form under the Security tab in the GitHub repository (instructions).
You can expect an initial response within 24 hours. If you do not get a response, please send a follow-up message.
In your report, please include at least the following information (as much as possible):
- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Paths of source files related to the issue
- Location of the affected source code (tag/branch/commit)
- Configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
The steps of the process of handling vulnerabilities is as follows:
- Initial response
- Confirmation that the issue is a security vulnerability
- All vulnerable versions have been unpublished/deleted
- Fix is being implemented
- Fix is implemented
- Confirmation that the issue has been fixed in a new non-public pre-release
- Fix is pushed and released; responsible disclosure
- Post-mortem analysis
You will obtain an update as soon as the next step has been completed, but no later than 5 days after the last update.
LTEX+ follows the principle of responsible disclosure. This means that security vulnerabilities are disclosed, but only a specific period of time.
Vulnerabilities are disclosed as soon as a fix has been pushed and released or after 30 days after the initial report, whichever comes first. No information must be disclosed before the embargo ends, neither by the reporter nor by the maintainers.
Vulnerabilities are disclosed in the project
- as a new GitHub security advisory,
- as a new and pinned GitHub issue, and
- in the changelog.
In the disclosure, the reporter is given proper credit, unless they request to stay anonymous. The reporter is free to post their own analysis on personal pages.
After the vulnerability has been disclosed, a thorough post-mortem analysis is performed to minimize the risk of future vulnerabilities of similar nature. The analysis is focused on the underlying root causes and newly implemented counter-measures.
When the post-mortem analysis is complete, the description of the GitHub issue, in which the issue has been disclosed, is amended to include the analysis.