-
-
Notifications
You must be signed in to change notification settings - Fork 176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Security Policy #755
Open
niccokunzmann
wants to merge
9
commits into
collective:main
Choose a base branch
from
niccokunzmann:security
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Add Security Policy #755
Changes from all commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
cb1a380
Add Security Policy
niccokunzmann 3d82cf4
Documentation improvements
niccokunzmann c8709f9
Add SECURITY.md file as recognized by GitHub
niccokunzmann 3e08ad2
Use Plone's security policy
niccokunzmann 5f69b2c
Update docs/security.rst
niccokunzmann e43536e
Update docs/security.rst
niccokunzmann 0ec11d5
Apply suggestion for security policy, copied from Pylons
niccokunzmann 02f6426
correct process of disclosure
niccokunzmann 47f59d1
Merge branch 'main' into security
niccokunzmann File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -16,7 +16,7 @@ Breaking changes: | |
|
|
||
| New features: | ||
|
|
||
| - ... | ||
| - Add :ref:`Security Policy` | ||
|
|
||
| Bug fixes: | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| # Security Policy | ||
|
|
||
| Please find our [security policy in the documentation](https://icalendar.readthedocs.io/en/latest/security.html). | ||
|
|
||
| See also: | ||
|
|
||
| - [docs/security.rst](docs/security.rst) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,3 @@ | ||
| .. _contributing: | ||
|
|
||
| ------------------ | ||
| Contributing | ||
| ------------------ | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -21,3 +21,4 @@ Contents | |
| :titlesonly: | ||
|
|
||
| contributing | ||
| security | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| Security Policy | ||
| =============== | ||
|
|
||
| This documents the security policy and actions to take to secure the package and its deployment and use. | ||
|
|
||
| Supported Versions | ||
| ------------------ | ||
|
|
||
| Security vulnerabilities are fixed only for the latest version of ``icalendar``. | ||
|
|
||
| .. list-table:: Versions to receive security updates | ||
| :widths: 25 25 | ||
| :header-rows: 1 | ||
|
|
||
| * - Version | ||
| - Supported | ||
| * - 6.* | ||
| - YES | ||
| * - 5.* | ||
| - no | ||
| * - 4.* | ||
| - no | ||
| * - before 4.* | ||
| - no | ||
|
|
||
|
|
||
| Reporting a Vulnerability | ||
| ------------------------- | ||
|
|
||
| To report security issues of ``collective/icalendar``, use the ``Report a vulnerability`` button on the project's `Security Page <https://github.com/collective/icalendar/security>`_. | ||
niccokunzmann marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| If you cannot do this, please contact one of the :ref:`maintainers` directly. | ||
|
|
||
| The maintainers of ``icalendar`` will then notify `Plone's security team <https://plone.org/security/report>`_. | ||
|
|
||
| If we determine that your report may be a security issue with the project, we may contact you for further information. | ||
| We volunteers ask that you delay public disclosure of your report for at least ninety (90) days from the date you report it to us. | ||
| This will allow sufficient time for us to process your report and coordinate disclosure with you. | ||
|
|
||
| Once verified and fixed, the following steps will be taken: | ||
|
|
||
| - We will use GitHub's Security Advisory tool to report the issue. | ||
| - GitHub will review our Security Advisory report for compliance with Common Vulnerabilities and Exposures (CVE) rules. | ||
| If it is compliant, they will submit it to the MITRE Corporation to generate a `CVE <https://www.cve.org/>`_. | ||
| This in turn submits the CVE to the `National Vulnerability Database (NVD) <https://nvd.nist.gov/vuln/search>`_. | ||
| GitHub notifies us of their decision. | ||
| - Assuming it is compliant, we then publish our Security Advisory on GitHub, which triggers the next steps. | ||
| - GitHub will publish the CVE to the CVE List. | ||
| - GitHub will broadcast our Security Advisory via the `GitHub Advisory Database <https://github.com/advisories>`_. | ||
| - GitHub will send `security alerts <https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies>`_ to all repositories that use our package (and have opted into security alerts). | ||
| This includes Dependabot alerts. | ||
| - We will make a bug-fix release. | ||
| - We will send an announcement through our usual channels: | ||
|
|
||
| - The :ref:`Changelog` | ||
| - The GitHub releases of ``icalendar`` | ||
| - If possible also `Plone's Security Announcements <https://plone.org/security/announcements>`_ | ||
|
|
||
| - We will provide credit to the reporter or researcher in the vulnerability notice. | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For a security policy, see examples at:
It's really up to you what you want to include. If you have another revision after reviewing the above items, please
@me and I'll take another look. I'd suggest incorporating some bits and pieces from the above, especially how to work with CVEs.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the links! I changed it to link to the Plone security page.
I will also write to the security team to ask if they have any feedback on this change.