Security Policy #304

abnara · 2024-09-27T15:09:18Z

abnara
Sep 27, 2024

I wanted to know if there is a way to submit security issues. There is no Security.md file in the repo. This is a requirement for me to be able to use the product. Are there plans to add a security policy?

mikkelfj · 2024-09-28T07:40:45Z

mikkelfj
Sep 28, 2024
Maintainer

This is not exactly what you are asking for, but there is: https://github.com/dvidelabs/flatcc/blob/master/doc/security.md

There are no plans to add a security policy as there has been no pressing need. But it is possible to contact repo owner (me) directly by email, just look it up.

I don't feel like setting up a dedicated email for this, but you have any suggestions be my guest.
There have historically been a few issues that could have warranted a CVE alert but they have been fixed timely and https://github.com/dvidelabs/flatcc/blob/master/CHANGELOG.md is the best place to stay on top of issues.

0 replies

abnara · 2024-09-28T16:21:01Z

abnara
Sep 28, 2024
Author

Thanks for the quick reply :)
Maybe a Security.md can be committed with these 3 sections:

Security Policy (link to the other security.md document you mentioned)
Supported Versions
Reporting a vulnerability (mention repo owner email)

I know all this information already exists in different parts of the repo., but would help create some sort of “official” security policy.

0 replies

abnara · 2024-10-10T21:06:01Z

abnara
Oct 10, 2024
Author

Hi @mikkelfj
Any thoughts on my suggestion?

0 replies

mikkelfj · 2024-10-14T18:19:30Z

mikkelfj
Oct 14, 2024
Maintainer

Thanks for following up. These are reasonable suggestions.I think I might consider adding a SECURITY.md file, but then again, security is already referenced in the README, so I think that unless I set up a specific email address, it would not add much. For now I'm happy that my email is discoverable without being blatantly obvious.

As to supported versions, there aren't really any unsupported versions, but due to CI builds, the latest should work on a very large range of systems while being backwards compatible, so there isn't really much motivation for sticking with an older version, unless for code review reasons. If there is a specific concern in that regard, I'd advise looking through the change list and consider patching important fixes. If that is insufficient, open an issue, I'll see what can be done. If that is insufficient, consulting could be an option.

Feel free to use this issue as reference for internal documentation.

I will convert this issue into a discussion.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security Policy #304

{{title}}

Replies: 4 comments

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Security Policy #304

abnara Sep 27, 2024

Replies: 4 comments

mikkelfj Sep 28, 2024 Maintainer

abnara Sep 28, 2024 Author

abnara Oct 10, 2024 Author

mikkelfj Oct 14, 2024 Maintainer

abnara
Sep 27, 2024

mikkelfj
Sep 28, 2024
Maintainer

abnara
Sep 28, 2024
Author

abnara
Oct 10, 2024
Author

mikkelfj
Oct 14, 2024
Maintainer