Open
Conversation
brtnfld
requested review from
bmribler,
derobins,
fortnern,
glennsong09,
jhendersonHDF,
lrknox,
mattjala,
qkoziol and
vchoi-hdfgroup
as code owners
glennsong09
approved these changes
Feb 9, 2026
bmribler
requested changes
Feb 11, 2026
|
|
||
| | Branch | Example | Security Support | | ||
| | :--- | :--- | :--- | | ||
| | **Current Release** | 2.11.x | All severity levels (Critical, High, Medium) | |
| If the current release is **2.11.3**: | ||
| - **2.11.x** (Active) - All security patches | ||
| - **1.14.x** (Maintenance) - Critical vulnerabilities only | ||
| - **2.0.x - 2.10.x** - EOL, no patches |
Collaborator
There was a problem hiding this comment.
Hmm, I'm confused about 2.10.x...
| Security patches are **NOT** backported to intermediate minor versions. Users must upgrade to a supported branch (current or previous major) to receive security updates. | ||
|
|
||
| ### End of Life (EOL) Policy | ||
| We provide a minimum **6-month notice** before a Major version line enters EOL status. These announcements are made via our [GitHub Discussions](https://github.com/HDFGroup/hdf5/discussions). |
Collaborator
There was a problem hiding this comment.
Do we want via the forum too?
|
|
||
| If you have discovered a security vulnerability in this project, please report it privately. **Do not disclose it as a public issue.** This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released. | ||
| ### Reporting Process | ||
|
|
| **Clarification on Release Targets vs. Disclosure Deadline:** | ||
| - The "Public Release Target" times in the table above (30 days for Critical, 60 days for High) are our **goals** for releasing fixes | ||
| - However, the **90-day cap applies to all severities** - if we cannot release a fix within our target timeframe, public disclosure will still occur at 90 days maximum | ||
| - Example: A Critical vulnerability targets a 30-day fix, but if unforeseen issues delay the fix, disclosure will occur at 90 days even if the fix is not ready |
Collaborator
There was a problem hiding this comment.
Suggestion: "...if the fix is not ready by the 30-day target..." or something like that?
| ## Security Patch Management | ||
|
|
||
| ### Applying Security Updates | ||
|
|
Collaborator
There was a problem hiding this comment.
There is an extra line here but probably intentionally because of the list that follows.
github-project-automation
bot
moved this from To be triaged
to In progress
in HDF5 - TRIAGE & TRACK
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
SHINY-45, SHINY-55
Important
Adds a detailed security policy for HDF5, covering scope, reporting, severity assessment, patch management, and researcher recognition.
This description was created by
for a7b28fc. You can customize this summary. It will automatically update as commits are pushed.