Adding details about CVEs in third party dependencies #5941
Conversation
content/security/index.adoc
Outdated
| This project is configured in such a way that only the reporter, the maintainers, and the Jenkins security team can see the details. | ||
| Restricting access to this potentially sensitive information allows core and plugin maintainers to develop effective security fixes that are safe to apply. | ||
| We provide issue reporting guidelines and an overview of our process on link:reporting[Reporting Security Vulnerabilities]. | ||
|
|
||
| If you are unable to report using our issue tracker, you can also send your report to the private Jenkins Security Team mailing list: | ||
| `jenkinsci-cert@googlegroups.com` | ||
|
|
||
| IMPORTANT: Do not contact the Jenkins security team asking us for compliance documents, certifications, or to fill out a questionnaire. | ||
| We will not respond to such queries. | ||
| If we consider it necessary to provide a statement in response to incidents such as link:/blog/2021/12/10/log4j2-rce-CVE-2021-44228/[log4shell] or link:/blog/2022/03/31/spring-rce-CVE-2022-22965/[SpringShell], you will find a response in our link:/node/[blog]. | ||
|
|
||
| To show our appreciation for your help, we'll send you link:/security/gift/[a small reward] for privately reported, valid vulnerability reports. |
There was a problem hiding this comment.
FTR the redundancy here was deliberate.
There was a problem hiding this comment.
Would you suggest to keep this redundancy?
I see the interest of having the information as close as the potential reporters but also the drawback of having two pages talking about the same things in a sense.
There was a problem hiding this comment.
Would you suggest to keep this redundancy?
Yes.
I see the interest of having the information as close as the potential reporters but also the drawback of having two pages talking about the same things in a sense.
One is the quick summary, the other is the full level of detail. (Of course, if we feel we need to add more details to the quick summary, making it too long, like we've kinda started with the IMPORTANT block here, its value diminishes.)
Co-authored-by: Daniel Beck <1831569+daniel-beck@users.noreply.github.com>
|
Quickly addressed the merge conflicts I introduced. |
|
Hi @daniel-beck, I wanted to follow up and see if your concerns were addressed with the updates that have been made. If not, what could be changed to provide the right messaging? |
|
I liked the phrasing of this enough to quote it in a community.jenkins.io post. |
|
Pending a conversation with Wadeck we've been postponing repeatedly since January… |
github-actions
bot
added
the
unresolved-merge-conflict
|
Please take a moment and address the merge conflicts of your pull request. Thanks! |
github-actions
bot
removed
the
unresolved-merge-conflict
As the reporting of CVEs is a recurrent topic within the security team, I would like to clarify our standpoint.