Skip to content

Commit 4c2071f

Browse files
swmalswmal
authored
Revise SECURITY.md for clarity and updates
Updated the SECURITY.md file to include new sections on security update policy, security transparency, and improved formatting. Added links for better navigation and clarity.
1 parent 6589101 commit 4c2071f

File tree

1 file changed

+13
-28
lines changed

1 file changed

+13
-28
lines changed

SECURITY.md

Lines changed: 13 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -4,45 +4,30 @@
44

55
## Supported Versions
66

7-
EPPlus 7 and 8 are automatically scanned for vulnerabilities and static code analysis is performed as part of the CI.
7+
See [Supported Versions](https://epplussoftware.com/en/Security/SupportedVersions) on the EPPlus website.
88

9-
|Version|Supported|Comment|Deprecation date|
10-
|-|-|-|-|
11-
|8.x.x|:white\_check\_mark:|||
12-
|7.x.x|:white\_check\_mark:|||
13-
|6.x.x|:x:|Deprecated/unsupported versions|2025-12-31|
14-
|5.x.x|:x:|Deprecated/unsupported versions|2024-12-31|
15-
|< 4.5|:x:|Deprecated/unsupported versions|2020-12-31|
9+
## Security Update Policy
1610

17-
## Security update policy
18-
19-
Security patches will be provided via new revisions released in our public Nuget feed. One patch for each supported major version/the two latest minor versions will be provided. [Subscribe to our newsletter](https://epplussoftware.com/en/Home/Newsletter) to get updates from EPPlus Software.
11+
Security patches will be provided via new revisions released in our public NuGet feed. One patch for each supported major version/the two latest minor versions will be provided. [Subscribe to our newsletter](https://epplussoftware.com/en/Home/Newsletter) to get updates from EPPlus Software.
2012

2113
## Reporting a Vulnerability
2214

23-
If you discover a security vulnerability in EPPlus, please report it through GitHub's private vulnerability reporting:
24-
25-
1. Go to the [Security tab](https://github.com/EPPlusSoftware/EPPlus/security/advisories/new) on the EPPlus repository.
26-
2. Click "Report a vulnerability" and fill in the details.
27-
28-
This ensures the report stays private until we have assessed and addressed the issue. Please do not report security vulnerabilities through the public issue tracker.
15+
See our [Vulnerability Disclosure Policy](https://epplussoftware.com/en/Security/VulnerabilityDisclosurePolicy) for instructions on how to report a vulnerability, what to expect, and our safe harbor commitment.
2916

30-
## Code signing
17+
Please do not report security vulnerabilities through the public issue tracker or other public channels.
3118

32-
Since version 7.5 the EPPlus Nuget package and the EPPlus libraries/dll:s are digitally signed by EPPlus Software AB.
19+
## Code Signing
3320

34-
## See also
35-
36-
* [EPPlus versioning](https://github.com/EPPlusSoftware/EPPlus/wiki/Releases-versioning)
21+
Since version 7.5 the EPPlus NuGet package and the EPPlus libraries/DLLs are digitally signed by EPPlus Software AB.
3722

3823
## Vulnerabilities
3924

40-
|Detected|Resolved|Affected EPPlus versions|CVE|Our comment|Resolution|
41-
|-|-|-|-|-|-|
42-
|April 15, 2026|April 16, 2026|EPPlus 8.x,targeting .NET 9 or 10|[Microsoft Security Advisory - CVE-2026-33116](https://github.com/advisories/GHSA-37gx-xxp4-5rgx) and [Microsoft Security Advisory - CVE-2026-26171](https://github.com/advisories/GHSA-w3x6-4m5h-cxqf)|Microsoft has released a security fix in System.Security.Cryptography.Xml 10.0.6 and 9.0.15. EPPlus uses this package to create and validate digital signatures for workbooks. The potential risk for most users should be very low.|Patch released in version 8.5.3|
43-
|October 10, 2024|October 11, 2024|EPPlus 7.x,targeting .NET 7 or 8|[Microsoft Security Advisory CVE-2024-38095](https://github.com/advisories/GHSA-447r-wph3-92pm) and [Microsoft Security Advisory CVE-2024-30105](https://github.com/advisories/GHSA-hh2w-p6rv-4g7w)|Microsoft has released a security fix in Microsoft.Extensions.Configuration.Json 8.0.1. The potential risk for most users should be low.|Patch released in version 7.4.1|
44-
|September 9, 2024||EPPlus 7.x, targeting .NET 7 or 8|[Microsoft Security Advisory CVE-2024-38095](https://github.com/advisories/GHSA-447r-wph3-92pm) and [Microsoft Security Advisory CVE-2024-30105](https://github.com/advisories/GHSA-hh2w-p6rv-4g7w)|Microsoft has released security fixes for System.Text.Json and System.Formats.Asn1 (transient dependencies in EPPlus). The potential risk for most users should be low.|Patch released in version 7.3.2|
45-
|June 15, 2023|June 15, 2023|EPPlus 6.x prior to 6.2.6, targeting .NET 6 or 7.|[.NET Denial of Service vulnerability (CVE 2023-29331)](https://github.com/advisories/GHSA-555c-2p6r-68mm)|Microsoft has released a security fix for a Denial of Service vulnerability (CVE-2023-29331) in System.Security.Cryptography.Pkcs for .NET 6 and .NET 7. EPPlus uses this component for x509 certificates used when signing VBA projects in a workbook. The potential risk for most users should be low, as the certificates used to sign your workbooks are usually known.|Upgrade to EPPlus 6.2.6 or higher|
25+
All known vulnerabilities, assessments, and advisories are published on our [Vulnerability Disclosures](https://epplussoftware.com/en/Security/Vulnerabilities) page.
26+
27+
## Security Transparency
4628

29+
We publish detailed security information including vulnerability disclosures, automated scan results, and software bills of materials on our [Security overview](https://epplussoftware.com/en/Security).
4730

31+
## See Also
4832

33+
- [EPPlus versioning](https://github.com/EPPlusSoftware/EPPlus/wiki/Releases-versioning)

0 commit comments

Comments
 (0)