Update README.md and SECURITY.md to address security questions

There has been a supply chain attack against the original xz implementation, [CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094). README.md has been updated to clarify that this implementation is not affected. SECURITY.md supports now Github's private security reports.
ulikunitz · Apr 3, 2024 · 4f11dce · 4f11dce
1 parent f56ebbf
commit 4f11dce
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -75,3 +75,14 @@ To decompress it use the following command.
 
     $ gxz -d bigfile.xz
 
+## Security & Vulnerabilities
+
+The security policy is documented in [SECURITY.md](SECURITY.md). 
+
+The software is not affected by the supply chain attack on the original xz
+implementation, [CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094).
+This implementation doesn't share any files with the original xz implementation
+and no patches or pull requests are accepted without a review.
+
+All security advisories for this project are published under
+[github.com/ulikunitz/xz/security/advisories](https://github.com/ulikunitz/xz/security/advisories?state=published).
diff --git a/SECURITY.md b/SECURITY.md
@@ -6,5 +6,14 @@ Currently the last minor version v0.5.x is supported.
 
 ## Reporting a Vulnerability
 
-Report a vulnerability by creating a Github issue at
-<https://github.com/ulikunitz/xz/issues>. Expect a response in a week.
+You can privately report a vulnerability following this
+[procedure](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
+Alternatively you can create a Github issue at
+<https://github.com/ulikunitz/xz/issues>.
+
+In both cases expect a response in at least 7 days.
+
+## Security Advisories
+
+All security advisories for this project are published under
+[github.com/ulikunitz/xz/security/advisories](https://github.com/ulikunitz/xz/security/advisories?state=published).
diff --git a/TODO.md b/TODO.md
@@ -86,6 +86,11 @@
 
 ## Log
 
+### 2024-04-03
+
+Release v0.5.12 updates README.md and SECURITY.md to address the supply chain
+attack on the original xz implementation.
+
 ### 2022-12-12
 
 Matt Dantay (@bodgit) reported an issue with the LZMA reader. The implementation

diff --git a/doc/relnotes/release-v0.5.12.md b/doc/relnotes/release-v0.5.12.md
@@ -0,0 +1,6 @@
+# Release Notes v0.5.12
+
+This release updates README.md and SECURITY.md to address questions regarding
+the supply chain attack against the original xz implementation.
+
+Thanks github user @rfay for the raising the issue.