# RTRlib Security Policy

All security bugs reported will be silently fixed in `master` and backported
to the current release.

## Reporting a Vulnerability

If a security issue is discovered, please report it to security-rtrlib@googlegroups.com.
A response will be provided within one week.
The issue will be tracked using the [security mailing
list](mailto:security-rtrlib@googlegroups.com).
Only maintainers of the RTRlib are members of this mailing list.
The original reporter of the security vulnerability will be included in the
discussion of the issue, though.

## Notification of a Vulnerability

After a fix is provided the security issue will be privately disclosed to the
original reporter, RTRlib security maintainers, and "Trusted RTRlib Users".
A public announcement of the security fix will be made two weeks after the
point release, though this may vary depending on the severity and ability of
trusted RTRlib users to provide the fix.

## Trusted RTRlib Users

To access the "Trusted RTRlib Users" notifications on the mailing list
please send information on the RTRlib based service or product as well as
your prefered email address to receive notifications to the [security
mailing list](mailto:security-rtrlib@googlegroups.com).
Early notification of security bugs will be available and should not be
shared publicly.
If done, it will result in access removal from the "Trusted RTRlib Users"
notifications.