|
| 1 | +<!-- SPDX-License-Identifier: Apache-2.0 --> |
| 2 | +<!-- Copyright Contributors to the OpenTimelineIO project --> |
| 3 | + |
| 4 | +# Security Policy |
| 5 | + |
| 6 | +## Reporting a Vulnerability |
| 7 | + |
| 8 | +If you think you've found a potential vulnerability in OpenTimelineIO, please |
| 9 | +report it by filing a GitHub [security |
| 10 | +advisory](https://github.com/AcademySoftwareFoundation/OpenTimelineIO/security/advisories/new). Alternatively, email |
| 11 | +[security@opentimeline.io](mailto:security@opentimeline.io?subject=OpenTimelineIO%20Vulnerability%20Report&body=Impact%0A_What%20is%20it,%20who%20is%20impacted_%0A%0APatches%0A_Has%20it%20been%20patched%20and%20in%20which%20version_%0A%0AWorkarounds%0A_Is%20there%20a%20way%20for%20users%20to%20fix%20or%20remediate%20without%20upgrading_%0A%0AReferences%0A_Where%20can%20users%20visit%20to%20find%20out%20more_) |
| 12 | +and provide your contact info for further private/secure discussion. If your email does not receive a prompt |
| 13 | +acknowledgement, your address may be blocked. |
| 14 | + |
| 15 | +Our policy is to acknowledge the receipt of vulnerability reports |
| 16 | +within 48 hours. Our policy is to address critical security vulnerabilities |
| 17 | +rapidly and post patches within 14 days if possible. |
| 18 | + |
| 19 | +## Known Vulnerabilities |
| 20 | + |
| 21 | +These vulnerabilities are present in the given versions: |
| 22 | + |
| 23 | +* No known vulnerabilities |
| 24 | + |
| 25 | +See the [release notes](https://github.com/AcademySoftwareFoundation/OpenTimelineIO/releases) for more information. |
| 26 | + |
| 27 | +## Supported Versions |
| 28 | + |
| 29 | +This gives guidance about which branches are supported with patches to |
| 30 | +security vulnerabilities. |
| 31 | + |
| 32 | +| Version / branch | Supported | |
| 33 | +|------------------|------------------------------------------------------------------------------------------------------------------------------------| |
| 34 | +| main | :white_check_mark: :construction: ALL fixes immediately, but this is a branch under development and may be unstable in other ways. | |
| 35 | +| 0.18.x | :white_check_mark: All fixes that can be backported without breaking compatibility. | |
| 36 | +| 0.17.x | :white_check_mark: All fixes that can be backported without breaking compatibility. | |
| 37 | +| 0.16.x | :warning: Only the most critical fixes, only if they can be easily backported. | |
| 38 | +| <= 0.15.x | :x: No longer receiving patches of any kind. | |
| 39 | + |
| 40 | + |
| 41 | +### Software Dependencies |
| 42 | + |
| 43 | +#### OpenTimelineIO C++ |
| 44 | + |
| 45 | +- [Imath](https://github.com/AcademySoftwareFoundation/Imath) - Provides Vector, Matrix, and Bounding Box primitives. |
| 46 | +- [rapidjson](https://github.com/Tencent/rapidjson/) - Used in serialization/deserialization of the `.otio` JSON file format. |
| 47 | + |
| 48 | +#### OpenTimelineIO Python |
| 49 | + |
| 50 | +- [pybind11](https://github.com/pybind/pybind11) (only if built with Python bindings) - Used to create Python bindings for the C++ library. |
| 51 | +- [importlib_metadata](https://pypi.org/project/importlib-metadata/) - Provides backward compatability for Python 3.7. |
| 52 | + |
| 53 | +Optionally, OTIOView requires: |
| 54 | + |
| 55 | +- [PySide2](https://pypi.org/project/PySide2/) - on x86_64. |
| 56 | +- [PySide6](https://pypi.org/project/PySide6/) - on AArch64. |
0 commit comments