Print Version Security Policy - 2. Response times and immediate actions.
Response time and actions taken greatly depend on the severity of the loss introduced by a particular flaw in the software that has been packaged for Fink. In any case the Fink Core Team will take immediate action whenever it feels it is necessary to protect the Fink user community.
2.1 Response times
Each package should strive to meet the following response times. For some types of vulnerabilities the Fink Core Team might choose to take immediate action. If that is the case, one of the Core Team members will notify the maintainer of the package in question. Also, keep in mind that, while we strive to meet these response times, Fink is a volunteer effort, and they cannot be guaranteed.
| Vulnerability | Response time |
|---|---|
| remote root exploit |
minimum: immediate; maximum: 12 hours. |
| local root exploit |
minimum: 12 hours; maximum: 36 hours. |
| remote DOS |
minimum: 6 hours; maximum: 12 hours. |
| local DOS |
minimum: 24 hours; maximum: 72 hours. |
| remote data corruption |
minimum: 12 hours; maximum: 24 hours. |
| local data corruption |
minimum: 24 hours; maximum: 72 hours. |
2.2 Forced updates
A member of the Fink Core Team might choose to update a package without waiting for the package's maintainer to take action. This is called a forced update. Not meeting the maximum required response time for a particular vulnerability in a Fink package also results in a forced update of that package.
Next: 3. Incident Sources