# Security Policy

## Supported Versions

The currently supported maintenance release is 2.15.

| Version | Supported          |
| ------- | ------------------ |
| 2.15.x  | :white_check_mark: |
| 2.12.x  | limited            |
| 2.10.x  | :x:                |
| 2.7.x   | :x:                |

## Reporting a Vulnerability

If you have details of a suspected security vulnerability in Lustre code that you
wish to report then please email us at security@whamcloud.com with the details.

Please do not file a public JIRA issue for a security vulnerability - we do not want
to draw attention to the vulnerability until a fix has been developed and administrators
have been alerted and have had some time to put a mitigation in place.

Ideally the reporting email should have as much detail as possible:

- reproducer, versions affected, fix if available, etc.
- indicate to whom (individual and/or affiliation) that credit for finding the issue should be reported
- details of any CVE already reserved
- our intentions around disclosing the details of the vulnerability

We aim to respond to any such reports within three business days of receipt.