]> git.openstreetmap.org Git - nominatim.git/blob - SECURITY.md
split code into submodules
[nominatim.git] / SECURITY.md
1 # Security Policy
2
3 ## Supported Versions
4
5 All Nominatim releases receive security updates for two years.
6
7 The following table lists the end of support for all currently supported
8 versions.
9
10 | Version | End of support for security updates |
11 | ------- | ----------------------------------- |
12 | 4.4.x   | 2026-03-07                          |
13 | 4.3.x   | 2025-09-07                          |
14 | 4.2.x   | 2024-11-24                          |
15 | 4.1.x   | 2024-08-05                          |
16
17 ## Reporting a Vulnerability
18
19 If you believe, you have found an issue in Nominatim that has implications on
20 security, please send a description of the issue to **security@nominatim.org**.
21 You will receive an acknowledgement of your mail within 3 work days where we
22 also notify you of the next steps.
23
24 ## How we Disclose Security Issues
25
26 ** The following section only applies to security issues found in released
27 versions. Issues that concern the master development branch only will be
28 fixed immediately on the branch with the corresponding PR containing the
29 description of the nature and severity of the issue. **
30
31 Patches for identified security issues are applied to all affected versions and
32 new minor versions are released. At the same time we release a statement at
33 the [Nominatim blog](https://nominatim.org/blog/) describing the nature of the
34 incident. Announcements will also be published at the
35 [geocoding mailinglist](https://lists.openstreetmap.org/listinfo/geocoding).
36
37 ## List of Previous Incidents
38
39 * 2023-11-20 - [SQL injection vulnerability](https://nominatim.org/2023/11/20/release-432.html)
40 * 2023-02-21 - [cross-site scripting vulnerability](https://nominatim.org/2023/02/21/release-421.html)
41 * 2020-05-04 - [SQL injection issue on /details endpoint](https://lists.openstreetmap.org/pipermail/geocoding/2020-May/002012.html)