SECURITY.md

This security policy applies to all projects under theopen-telemetry organization on GitHub. Security reports involving specific projects should still be reported following the instructions on this document: the report will be shared by the technical committee to the project leads, who might not all have access to the private key required to decrypt your message.

The OpenTelemetry project provides community support only for the last minor version: bug fixes are released either as part of the next minor version or as an on-demand patch version. Independent of which version is next, all patch versions are cumulative, meaning that they represent the state of ourmain branch at the moment of the release. For instance, if the latest version is 0.10.0, bug fixes are released either as part of 0.11.0 or 0.10.1.

Security fixes are given priority and might be enough to cause a new version to be released.

If you find something suspicious and want to report it, we'd really appreciate!

In order for the vulnerability reports to reach maintainers as soon as possible,the preferred way is to use theReport a vulnerability button on theSecuritytab in the respective GitHub repository. It creates a private communication channelbetween the reporter and the maintainers.

For reporting security issues against the website, please report them athttps://github.com/open-telemetry/opentelemetry.io/security/advisories.

If you are absolutely unable to or have strong reasons not to use GitHub reportingworkflow, please reach out tosecurity@opentelemetry.io.