SECURITY.md

This document specifies the security process for the SwiftOpenAPIGenerator project.

The SwiftOpenAPIGenerator team asks that known and suspected vulnerabilities be privatelyand responsibly disclosed by emailingsswg-security-reports@forums.swift.orgwith the details usually included with bug reports.Do not file a public issue.

• You think you have discovered a potential security vulnerability in SwiftOpenAPIGenerator or any of the SwiftOpenAPIGenerator projects.
• You are unsure how a vulnerability affects SwiftOpenAPIGenerator or any of the SwiftOpenAPIGenerator projects.

• A member of the team will acknowledge receipt of the report within 3working days (United States). This may include a request for additionalinformation about reproducing the vulnerability.
• We will privately inform the Swift Server Work Group (SSWG) of thevulnerability within 10 days of the report as per theirsecurityguidelines.
• Once we have identified a fix we may ask you to validate it. We aim to do thiswithin 30 days. In some cases this may not be possible, for example when thevulnerability exists at the protocol level and the industry must coordinate onthe disclosure process.
• If a CVE number is required, one will be requested fromMITREproviding you with full credit for the discovery.
• We will decide on a planned release date and let you know when it is.
• Prior to release, we will inform major dependents that a security-relatedpatch is impending.
• Once the fix has been released we will publish a security advisory on GitHuband theSSWG will announce the vulnerability on theSwiftforums.

There aren’t any published security advisories