Inquiry about incident response policy for continued use of BouncyCastle.Cryptography #696
Unanswered
shuichi-hatakeyama
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Dear Bouncy Castle Team,
We are planning to continue using BouncyCastle.Cryptography in our internal system on a long-term basis. We always keep the library up to date with the latest stable version, so version management itself is not the subject of this inquiry.
The purpose of this message is to understand your response policy in case any issue occurs with BouncyCastle.Cryptography in the future, so that we can properly assess risks and prepare a contingency plan.
Could you please advise on the following points?
If a functional defect in BouncyCastle.Cryptography is reported, how do you typically respond, and through which channel?
If a security vulnerability is reported, what is the appropriate reporting channel, and how is it handled?
Is there any general guideline or expected timeframe for providing fixes for critical defects or vulnerabilities?
When a fix takes time, do you usually provide workarounds or mitigation guidance to users?
Is any commercial support, priority support, LTS, or SLA-based support available (for example, via Keyfactor)?
Where can users check known vulnerabilities, security advisories, and release information?
How do you handle issues that originate from dependent libraries?
Could you share the current maintenance structure of the project (for example, number of active maintainers, sponsors, or supporting organizations)?
If the project becomes unmaintained in the future, is there any notification policy or recommended migration path for users?
In an emergency, is it acceptable under the current license for users to fork the project or apply their own patches internally?
This inquiry is not a bug report or a vulnerability report. It is only for internal risk assessment and contingency planning for continued use.
Thank you for your time and support.
Best regards, Shuichi Hatakeyama Contact: +81 90-5497-7124
Beta Was this translation helpful? Give feedback.
All reactions