Merge pull request #5162 from apache/cve-backport-policy

CVE backport policy
apache · Aug 2, 2024 · 99894dc · 99894dc
2 parents a2241d3 + 3bf8ce6
commit 99894dc
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/src/docs/src/cve/index.rst b/src/docs/src/cve/index.rst
@@ -16,6 +16,13 @@
 Security Issues / CVEs
 ======================
 
+In the event of a CVE, the Apache CouchDB project will publish a fix as
+a patch to the current release series and its immediate predecessor only
+(e.g, if the current release is 3.3.3 and the predecessor is 3.2.3, we
+would publish a 3.3.4 release and a 3.2.4 release).
+
+Further backports may be published at our discretion.
+
 .. toctree::
     :maxdepth: 1
     :glob: