Add link to security response process

Signed-off-by: Spencer Wilson <[email protected]>
open-quantum-safe · Feb 14, 2025 · 23e9168 · 23e9168
1 parent a554b36
commit 23e9168
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -88,6 +88,8 @@ We realize some parties may want to deploy quantum-safe cryptography prior to th
 
 **WE DO NOT CURRENTLY RECOMMEND RELYING ON THIS LIBRARY IN A PRODUCTION ENVIRONMENT OR TO PROTECT ANY SENSITIVE DATA.** This library is meant to help with research and prototyping.  While we make a best-effort approach to avoid security bugs, this library has not received the level of auditing and analysis that would be necessary to rely on it for high security use.
 
+Please see [SECURITY.md](SECURITY.md) for details on how to report a vulnerability and the OQS vulnerability response process.
+
 #### Platform limitations
 
 In order to optimize support effort,

diff --git a/SECURITY.md b/SECURITY.md
@@ -4,7 +4,7 @@
 
 We only support the most recent release.
 
-Using any code prior to 0.10.1 is strongly discouraged due to a [known security vulnerability in Kyber](https://github.com/open-quantum-safe/liboqs/releases/tag/0.10.1).
+Using any code prior to 0.12.0 is strongly discouraged due to a [known security vulnerability in HQC](https://github.com/open-quantum-safe/liboqs/security/advisories/GHSA-gpf4-vrrw-r8v7).
 
 | Version | Supported          |
 | ------- | ------------------ |
@@ -13,3 +13,7 @@ Using any code prior to 0.10.1 is strongly discouraged due to a [known security
 
 ## Reporting a Vulnerability
 Please follow [this information to report a vulnerability](https://openquantumsafe.org/liboqs/security.html#reporting-security-bugs).
+
+## Security Response Process
+
+Security reports for liboqs will be handled in accordance with the [OQS security response process](https://github.com/open-quantum-safe/tsc/blob/main/security/response-process.md).