Update SECURITY.md and LICENSE.md

diff --git a/LICENSE.md b/LICENSE.md
index a74a0fe4ef07ce402b8d0cea80807adc709022d6..db39daf4caf02620412219bb16d9039b1add1c39 100644 (file)
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -11,7 +11,7 @@ Civetweb License
 
 ### Included with all features.
 
-> Copyright (c) 2013-2021 The CivetWeb developers ([CREDITS.md](https://github.com/civetweb/civetweb/blob/master/CREDITS.md))
+> Copyright (c) 2013-2025 The CivetWeb developers ([CREDITS.md](https://github.com/civetweb/civetweb/blob/master/CREDITS.md))
 >
 > Copyright (c) 2004-2013 Sergey Lyubka
 >

diff --git a/SECURITY.md b/SECURITY.md
index b1781afff139e2ba8b4cbaca38a35592eb3ff038..78c855418e0799ffb475647018fc805c42134aa7 100644 (file)
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -14,16 +14,12 @@ Selected, critical defects are fixed in the latest release as well.
 Note that different security policies apply to different files/folders in this project:
 - The core components are include/civetweb.h, src/civetweb.c and src/*.inl.  These files are part of every server instance in production. Therefore they have to undergo the most intensive security tests and reviews.
 - The src/main.c file is used by the standalone server. It is used in various tests in combination with the aforementioned core components. Applications embedding civetweb will not use main.c and, thus, do not suffer from any vulnerabilities therein.
-- The example folders contain different usage examples in different maintenance state. This is explained in detail in the README file there.
+- The example folders contain different usage examples in different maintenance state. Some of them skipped error handling to keep the code shorter and easier to understand. This is explained in more detail in the README file there.
 - The content of all test folders (test, unittest, fuzztest) is used to test the server functionality. These tests are not designed with security in mind - on the contrary, some tests contain scripts or settings that even introduce security leaks on purpose. All tests are only meant to be run in a test environment. You should not use the content of any test folder in production. Also certificates in "resources/cert" are only meant to be used in test environments and must never be used in production.
 
 
 ## Reporting a Vulnerability
 
-Please send vulnerability reports by email to bel2125 at gmail com.
-Vulnerability with low severity can be sent directly by email.
-
-For high severity vulnerabilities, you can get an individual gpg key to encrypt your detailed description of vulnerabilities you want to report.
-
-If you do not get any response within one week, your email might have been lost (e.g., deleted as false positive by a spam filter). In this case, please open a GitHub issue.
+Ideally open a github issue for suspected vulnerabilities, even if you do not post all details there. This will help against emails getting lost.
+Detailed vulnerability reports including exploit code should be sent by email to bel2125 at gmail com.