Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Notify package owners of new vulnerabilities #8592

Open
drewgillies opened this issue May 24, 2021 · 1 comment
Open

Notify package owners of new vulnerabilities #8592

drewgillies opened this issue May 24, 2021 · 1 comment
Assignees
@drewgillies
Labels
Area: Security Pillar: Security
Milestone
Backlog

Comments

@drewgillies
Copy link
Contributor

drewgillies commented May 24, 2021
edited by joelverhagen
Loading

Mail blast to owners with vulnerabilities created since last mail blast.

This will require building an API query since last mail blast date and transforming result into added/removed/ranges_severity_changed etc.

Edit by @joelverhagen: an additional tweak on this proposal (great from @Tratcher!) is that we could introduce a verify/approve/correct workflow that gives the author 24 hours to act before we go live on NuGet.org. Example case where this would have helped: https://twitter.com/JamesNK/status/1600844999783903233 (GitHub Advisory DB switched a patched version from 13.0.1 to 13.0.2 for a short period, causing noise).
@drewgillies drewgillies self-assigned this May 24, 2021
@drewgillies drewgillies added this to the Sprint 2021-05 milestone May 24, 2021
@agr agr modified the milestones: Sprint 2021-05, Sprint 2021-06 Jun 4, 2021
@joelverhagen joelverhagen removed this from the Sprint 2021-08 milestone Aug 2, 2021
@drewgillies drewgillies added this to the Sprint 2021-09 milestone Sep 7, 2021
@agr agr removed this from the Sprint 2021-09 milestone Sep 7, 2021
@JonDouglas
Copy link
Contributor

Leaving a note here for future purposes:

We should work with GH Advisory DB / Security team to see how they can issue better notifications when an advisory is amended/edited. We should hook into that event to issue emails as well.

@JonDouglas JonDouglas mentioned this issue Jan 9, 2024
Open
8 tasks
@mariaghiondea mariaghiondea added this to the Dilithium milestone Jan 9, 2024
@mariaghiondea mariaghiondea modified the milestones: Sprint 2024-04, Selenium Mar 15, 2024
@mariaghiondea mariaghiondea modified the milestones: Selenium, Backlog Aug 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@drewgillies drewgillies

Labels
Area: Security Pillar: Security
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
5 participants
@joelverhagen @agr @JonDouglas @mariaghiondea @drewgillies