diff --git a/SECURITY.md b/SECURITY.md index 5acefa28..fb238413 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,32 +1,36 @@ -# Reporting Security Vulnerabilities +# Reporting security vulnerabilities -Oracle values the independent security research community, and believes that -responsible disclosure of security vulnerabilities helps us to ensure the security -and privacy of all of our users. +Oracle values the independent security research community and believes that +responsible disclosure of security vulnerabilities helps us ensure the security +and privacy of all our users. Please do NOT raise a GitHub Issue to report a security vulnerability. If you -believe you have found a security vulnerability, then please submit a report to +believe you have found a security vulnerability, please submit a report to [secalert_us@oracle.com][1] preferably with a proof of concept. Please review some additional information on [how to report security vulnerabilities to Oracle][2]. -Oracle encourages anyone who contacts Oracle Security to use email encryption, using +We encourage people who contact Oracle Security to use email encryption using [our encryption key][3]. -Please do not use other channels, or contact the project maintainers +We ask that you do not use other channels or contact the project maintainers directly. -For non-vulnerability related security issues, including ideas for new or improved -security features, you are welcome to post these as GitHub Issues. +Non-vulnerability related security issues including ideas for new or improved +security features are welcome on GitHub Issues. -## Security Updates, Alerts and Bulletins +## Security updates, alerts and bulletins -Oracle issues security updates on a regular cadence. Many of our projects typically include release security fixes in conjunction with the [Oracle Critical Patch Update][3] program. Security updates are released on the -Tuesday closest to the 17th day of January, April, July and October. A pre-release announcement will be published on the Thursday preceding each release. Additional information, including past advisories, is available on our [security alerts][4] +Security updates will be released on a regular cadence. Many of our projects +will typically release security fixes in conjunction with the +[Oracle Critical Patch Update][3] program. Additional +information, including past advisories, is available on our [security alerts][4] page. -## Security-Related Information +## Security-related information -Oracle will provide security-related information in our documentation. The information can be a threat model, best practices for secure use, or any known security issues. Please note -that labs and example code are intended to demonstrate a concept. These examples should not be used for production use without ensuring that the code is hardened, and in compliance with common security practices. +We will provide security related information such as a threat model, considerations +for secure use, or any known security issues in our documentation. Please note +that labs and sample code are intended to demonstrate a concept and may not be +sufficiently hardened for production use. [1]: mailto:secalert_us@oracle.com [2]: https://www.oracle.com/corporate/security-practices/assurance/vulnerability/reporting.html