docs(security): update policy for OpenSSF badge

Update supported versions to 1.16.x, add response process with 7-day acknowledgment timeline, reporter credit policy, and secure development practices section. Signed-off-by: Ramon Roche <mrpollo@gmail.com>
2026-04-14 10:07:39 +08:00 · 2026-03-12 12:12:47 -07:00 · 2026-03-12 12:12:47 -07:00 · 3f0ddf9793
commit 3f0ddf9793
parent 400bb253bd
1 changed files with 28 additions and 12 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -2,24 +2,40 @@
 ## Supported Versions
-The following is a list of versions the development team is currently supporting.
+The following versions receive security updates:
 | Version | Supported          |
 | ------- | ------------------ |
-| 1.4.x   | :white_check_mark: |
+| 1.16.x  | :white_check_mark: |
-| 1.3.3   | :white_check_mark: |
+| < 1.16  | :x:                |
 | < 1.3   | :x:                |
 ## Reporting a Vulnerability
-We currently only receive security vulnerability reports through GitHub.
+We receive security vulnerability reports through GitHub Security Advisories.
-To begin a report, please go to the top-level repository, for example, PX4/PX4-Autopilot,
+To begin a report, go to the [PX4/PX4-Autopilot](https://github.com/PX4/PX4-Autopilot) repository
-and click on the Security tab. If you are on mobile, click the ... dropdown menu, and then click Security.
+and click on the **Security** tab. If you are on mobile, click the **...** dropdown menu, then click **Security**.
-Click Report a Vulnerability to open the advisory form. Fill in the advisory details form.
+Click **Report a Vulnerability** to open the advisory form. Fill in the advisory details form.
-Make sure your title is descriptive, and the development team can find all of the relevant details needed
+Make sure your title is descriptive and the description contains all relevant details needed
-to verify on the description box. We recommend you add as much data as possible. We welcome logs,
+to verify the issue. We welcome logs, screenshots, photos, and videos.
 screenshots, photos, and videos, anything that can help us verify and identify the issues being reported.
-At the bottom of the form, click Submit report. The maintainer team will be notified and will get back to you ASAP.
+At the bottom of the form, click **Submit report**.
 ## Response Process
 1. **Acknowledgment**: The maintainer team will acknowledge your report within **7 days**.
 2. **Triage**: We will assess severity and impact and communicate next steps.
 3. **Disclosure**: We coordinate disclosure with the reporter. We follow responsible disclosure practices and will credit reporters in the advisory unless they request anonymity.
 If you do not receive acknowledgment within 7 days, please follow up by emailing the [release managers](MAINTAINERS.md).
 ## Secure Development Practices
 The PX4 development team applies the following practices to reduce security risk:
 - **Code review**: All changes require peer review before merging.
 - **Static analysis**: [clang-tidy](https://clang.llvm.org/extra/clang-tidy/) runs on every pull request with warnings treated as errors.
 - **Fuzzing**: A daily fuzzing pipeline using [Google fuzztest](https://github.com/google/fuzztest) tests MAVLink message handling and GNSS driver protocol parsing.
 - **Input validation**: All external inputs (MAVLink messages, RC signals, sensor data) are validated against expected ranges before use.
 - **Compiler hardening**: Builds use `-Wall -Werror`, stack protectors, and other hardening flags where supported by the target platform.