This is the security policy for software projects goverened by the CWL Project, a member project of the Software Freedom Conservancy.

For the security policies of other projects, software, and services related to the Common Workflow Language standards, but not provided by the CWL Project itself, please consult those projects or your vendor directly.

Unless otherwise noted, there are no "long term support" releases and only the latest release is supported for security updates in the form of a patch or superceding release.

All reports of security vulnerabilities related to the CWL Project should be sent to security@commonwl.org

We aim to acknowledge your report quickly, and to treat it confidentially.

All public mentions of the vulnerability will include acknowledgement, unless the reporter requests anonymity.

Prior to public reporting, we may co-ordinate with vendors and other implementors of the CWL standards so that they may check for similar vulnerabilities in their sofware, or upgrade/patch their dependencies in production environments to eliminate/mitigate the reported vulnerability or related vulnerabilities.

The more complete a vulnerability report is, the faster a resolution can be reached. Therefore, including any of the following in the initial report is appreciated, but should not stand in the way of timely disclosure:

• A high level summary of the vulnerability, including the impact.
• A clear list of vulnerable versions.
• A clear list of patch versions.
• Any caveats on when the software is vulnerable (for example, if only certain configurations are affected).
• Any workarounds or mitigation that can be implemented as a temporary fix.
• Technical details of the vulnerability.
• IDS/IPS signatures or other indicators of compromise.