Security Policy - 2. Response times and immediate actions.

Response time and actions taken greatly depend on the severity of the loss introduced by a particular flaw in the software that has been packaged for Fink. In any case the Fink Core Team will take immediate action whenever it feels it is necessary to protect the Fink user community.

2.1 Response times

Each package should strive to meet the following response times. For some types of vulnerabilities the Fink Core Team might choose to take immediate action. If that is the case, one of the Core Team members will notify the maintainer of the package in question. Also, keep in mind that, while we strive to meet these response times, Fink is a volunteer effort, and they cannot be guaranteed.

VulnerabilityResponse time
remote root exploit

minimum: immediate; maximum: 12 hours.

local root exploit

minimum: 12 hours; maximum: 36 hours.

remote DOS

minimum: 6 hours; maximum: 12 hours.

local DOS

minimum: 24 hours; maximum: 72 hours.

remote data corruption

minimum: 12 hours; maximum: 24 hours.

local data corruption

minimum: 24 hours; maximum: 72 hours.

2.2 Forced updates

A member of the Fink Core Team might choose to update a package without waiting for the package's maintainer to take action. This is called a forced update. Not meeting the maximum required response time for a particular vulnerability in a Fink package also results in a forced update of that package.

Next: 3. Incident Sources