From 29338d824b5ec28c99880e71ac879b88c2fa0f36 Mon Sep 17 00:00:00 2001 From: Peter Hutterer Date: Tue, 2 Jun 2026 08:52:34 +1000 Subject: [PATCH] Add SECURITY.md directing to confidential GitLab issues Part-of: --- SECURITY.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..0f8261f2 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,34 @@ +# Security Policy + +## Reporting a Vulnerability + +If you discover a security vulnerability in libinput, please report it as a +**confidential issue** on GitLab: + +https://gitlab.freedesktop.org/libinput/libinput/-/issues/new?issue[confidential]=true + +Do **not** report security vulnerabilities through public issues, mailing +lists, or other public channels. + +A confidential issue is only visible to the project maintainers and the +reporter. Once the issue has been resolved and a fix has been released, the +issue will be made public. + +### What to Include in Your Report + +To help us triage and fix the issue quickly, please provide: +* A clear description of the vulnerability and its potential impact. +* Step-by-step instructions (or a Proof of Concept script) to reproduce the issue. +* The other information that the pre-filled issue template will request. + +## Our Process + +We will acknowledge receipt of your report as soon as possible. Note that due +to the small team working on libinput acknowledgement may take several days, +especially on weekends and public holidays. + +Our core team will investigate the issue in the confidential thread. We will +coordinate a security release and, where applicable, request a CVE. Credit +will be given to the reporter upon public disclosure unless requested +otherwise. If you require a specific text (e.g. "John Smith on behalf of +Corporation") please provide this information in the issue.