From 4f11dce79b9977ec2976a978d6c594ea1c23cf29 Mon Sep 17 00:00:00 2001
From: Ulrich Kunitz <ulikunitz@users.noreply.github.com>
Date: Wed, 3 Apr 2024 20:46:24 +0200
Subject: [PATCH] Update README.md and SECURITY.md to address security
 questions

There has been a supply chain attack against the original xz
implementation,
[CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094).

README.md has been updated to clarify that this implementation is not
affected. SECURITY.md supports now Github's private security reports.
---
 README.md                       | 11 +++++++++++
 SECURITY.md                     | 13 +++++++++++--
 TODO.md                         |  5 +++++
 doc/relnotes/release-v0.5.12.md |  6 ++++++
 4 files changed, 33 insertions(+), 2 deletions(-)
 create mode 100644 doc/relnotes/release-v0.5.12.md

diff --git a/README.md b/README.md
index 5547185..56d4927 100644
--- a/README.md
+++ b/README.md
@@ -75,3 +75,14 @@ To decompress it use the following command.
 
     $ gxz -d bigfile.xz
 
+## Security & Vulnerabilities
+
+The security policy is documented in [SECURITY.md](SECURITY.md). 
+
+The software is not affected by the supply chain attack on the original xz
+implementation, [CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094).
+This implementation doesn't share any files with the original xz implementation
+and no patches or pull requests are accepted without a review.
+
+All security advisories for this project are published under
+[github.com/ulikunitz/xz/security/advisories](https://github.com/ulikunitz/xz/security/advisories?state=published).
diff --git a/SECURITY.md b/SECURITY.md
index 5f7ec01..1bdc888 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -6,5 +6,14 @@ Currently the last minor version v0.5.x is supported.
 
 ## Reporting a Vulnerability
 
-Report a vulnerability by creating a Github issue at
-<https://github.com/ulikunitz/xz/issues>. Expect a response in a week.
+You can privately report a vulnerability following this
+[procedure](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
+Alternatively you can create a Github issue at
+<https://github.com/ulikunitz/xz/issues>.
+
+In both cases expect a response in at least 7 days.
+
+## Security Advisories
+
+All security advisories for this project are published under
+[github.com/ulikunitz/xz/security/advisories](https://github.com/ulikunitz/xz/security/advisories?state=published).
diff --git a/TODO.md b/TODO.md
index 69de8b6..c466ffe 100644
--- a/TODO.md
+++ b/TODO.md
@@ -86,6 +86,11 @@
 
 ## Log
 
+### 2024-04-03
+
+Release v0.5.12 updates README.md and SECURITY.md to address the supply chain
+attack on the original xz implementation.
+
 ### 2022-12-12
 
 Matt Dantay (@bodgit) reported an issue with the LZMA reader. The implementation
diff --git a/doc/relnotes/release-v0.5.12.md b/doc/relnotes/release-v0.5.12.md
new file mode 100644
index 0000000..1e68351
--- /dev/null
+++ b/doc/relnotes/release-v0.5.12.md
@@ -0,0 +1,6 @@
+# Release Notes v0.5.12
+
+This release updates README.md and SECURITY.md to address questions regarding
+the supply chain attack against the original xz implementation.
+
+Thanks github user @rfay for the raising the issue.