Security Policy

The Netatalk Project takes cyber security very seriously. We commit to follow up
to and resolve potential security flaws in our code as quickly as we can. The
reporter of an accepted and patched vulnerability will be given credit in the
advisory published by this project.

Supported Versions

This table indicates the Netatalk release series that are current guaranteed to
get security patches.

| Version | Supported | | ------- | ------------------ | | 4.0.x |
:white_check_mark: | | 3.2.x | :white_check_mark: | | 3.1.x | :white_check_mark:
| | 3.0.x | :x: | | 2.4.x | :white_check_mark: | | < 2.4 | :x: |

Reporting a Vulnerability

If you think you have found an exploitable security vulnerability in Netatalk,
the Netatalk Team would be eager to hear from you!

The best way to get in touch with us is by filing a report via the private
security vulnerability reporting workflow in GitHub. This allows us to
collaborate in private and avoid putting end-users at potential risk in the
meantime.

In order for us to take effective action on your report, please include as much
context as possible:

  - An unambiguous link to the affected source code, including the specific line
    and Git commit hash
  - Configurations or input data required to reproduce the issue
  - Concrete steps to reproduce the issue
  - Ideally, proof-of-concept code that demonstrates the exploit
  - A summary of the issue's potental impact

Response

If we are able to reproduce and subsequently patch the vulnerability, we will
publish an advisory on netatalk.io where you are credited as finder and
reporter. If you also contribute a patch, you will be credited as patch
developer.

Please be mindful that Netatalk is a volunteer driven project. We do this on our
free time, so response times may vary. That said, we will try to take action on
your report as soon as possible!
