This is the list of versions of carbon-registry which are currently being supported with security updates.

The United Nations Development Programme (UNDP) takes the security of our software products seriously. If you believe you have found a security vulnerability in the Carbon Registry AGPL software, please report it to us as described below.

1. 🔒 Do Not Report Security Vulnerabilities Publicly

   • Please do not report security vulnerabilities through public GitHub issues.

2. 📧 Email

   • Directly email the UNDP Carbon Registry security team at [email protected].
   • Please provide detailed information about the vulnerability, including steps to reproduce, potential impact, and suggested mitigation or remediation if known.

3. 🕒 Expect a Response

   • We strive to acknowledge receipt of vulnerabilities and communicate our intended timeline for a fix within days.

1. 🤐 Confidentiality

   • Reporters of security vulnerabilities are expected to keep the vulnerability details confidential until a fix is released.

2. 📣 Public Disclosure

   • Details about the vulnerability, including a description, its impact, and the date the fix was released, may be published after a fix is released, allowing users to assess the impact on their own deployment and take appropriate measures. Reporter is kept confidential unless otherwise requested.

Please refer to the documentation for information on secure configuration and deployment and compliance with security standards and best practices.

If you have suggestions on how this process could be improved, please submit a pull request.

The Standard Carbon Registry team would like to thank all security researchers who responsibly disclose vulnerabilities and help us keep our users safe.