Update SECURITY.md (#3218)

alephdata · Jul 20, 2023 · 8291657 · 8291657
1 parent 85947d7
commit 8291657
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 13 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -1,17 +1,13 @@
 # Security Policy
 
-## Supported Versions
+## Supported versions
 
 Aleph is a fast-moving project, developed through grant funding. We thus cannot provide specific 
 long-term support releases. Instead, we advise all implementors of the software to keep their
 installations up to date as much as they can.
 
-At the time of writing, versions 1.x and 2.x, and > 3.6 are completely discontinued.
+Please refer to our [Support Policy](SUPPORT.md) for more information about supported Aleph versions.
 
-## Reporting a Vulnerability
+## Reporting a vulnerability
 
-Low-grade security issues can be reported via GitHub issues. If you believe you have found a 
-critical security vulnerability, please consider contacting the Organized Crime and Corruption
-Reporting Project, the core maintainer of Aleph, directly via our responsible disclosure process:
-
-https://www.occrp.org/en/responsible-disclosure
+In order to report a security vulnerability, please contact the Organized Crime and Corruption Reporting Project (OCCRP), the core maintainer of Aleph, directly via [OCCRP’s Responsible Disclosure Policy](https://www.occrp.org/en/responsible-disclosure).
diff --git a/SUPPORT.md b/SUPPORT.md
@@ -1,18 +1,22 @@
-# Aleph Support Policy
+# Support Policy
 
 _Technology is neither good nor bad; nor is it neutral._ (Kranzberg)
 
 The objective of the Aleph project is to provide powerful software to those who do investigative work in the public interest.
 
 **We develop this technology following the open source model, and will continue to release our code to the public. At the same time, we have chosen to limit the scope of the community to whom we will provide support and engagement.**
 
-The maintainers of this project limit support and responses both on GitHub and in the Slack channel to authorised groups and individuals. In order to receive authorisation, we require that you disclose the manner in which you use our technology. **We will decide if that use falls within the intended uses of Aleph.** Examples of intended uses could include:
+## Eligible use cases
 
-- Professional investigative journalists.
+The maintainers of this project limit support and responses both on GitHub and in the Slack channel to authorised groups and individuals. In order to receive authorisation, we require that you disclose the manner in which you use our technology. **We will decide if that use falls within the intended uses of Aleph.**
+
+Examples of intended uses could include:
+
+- Professional investigative journalists
 - Activists, advocates and academics working in the public interest, and whose work is subject to an editorial policy
-- International bodies that have an investigative function.
+- International bodies that have an investigative function
 
-Support includes installation support, requests for new features or issues specific to your local Aleph installation. General bugs and contributions to the Aleph source code that can contribute to reliability of the system will be considered.
+Support includes installation support, requests for new features or issues specific to your local Aleph installation. Bug fixes and contributions to the Aleph source code that can contribute to reliability of the system will be considered.
 
 Please submit a description of your use case along with your name, affiliation and email address using one of the following channels:
 
@@ -22,6 +26,8 @@ Please submit a description of your use case along with your name, affiliation a
 
 Make sure you describe your goals, rather than the set of techniques that define your work (e.g. “investigations into human rights abuses in country X”, not “OSINT”). OCCRP is a non-profit organization. We do not offer commercial support or consulting services.
 
+## Supported versions
+
 The Aleph team supports feature versions for 12 months after the first major iteration of that version was released. For example, we support Aleph 3.12.x for 12 months after Aleph 3.12.0 was released. The Aleph team supports upgrades, but only from supported feature versions of the product. Support means helping to ensure that you can get your Aleph instance up and running. As we're a small team we don't have the capacity to backport bugs to supported versions. In the case of critical secruity vulnrabilities we'll endeavour to ensure that all currently supported versions, but we recommend administrators upgrade to the latest version as soon as possible.
 
 For versions that are supported, if you are having problems, you can reach out to us in Slack or by raising an issue in Github.