Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create SECURITY.md #2354

Merged
merged 3 commits into from
Mar 21, 2024
Merged

Create SECURITY.md #2354

merged 3 commits into from
Mar 21, 2024

Conversation

dcmcand
Copy link
Contributor

@dcmcand dcmcand commented Mar 21, 2024

What does this implement/fix?

Add's Security.md with instructions on reporting vulnerabilities.

Put a x in the boxes that apply

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds a feature)
  • Breaking change (fix or feature that would cause existing features not to work as expected)
  • Documentation Update
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes, no API changes)
  • Build related changes
  • Other (please describe): Repository maintenance

Testing

  • Did you test the pull request locally?
  • Did you add new tests?

Any other comments?

marcelovilla
marcelovilla approved these changes Mar 21, 2024
View reviewed changes
Copy link
Member

@marcelovilla marcelovilla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me. I only have two small suggestions but you can feel free to incorporate or ignore them:

  1. I'd link to https://github.com/nebari-dev/nebari/security/advisories/new instead of https://github.com/nebari-dev/nebari/security
  2. I'd explicitly tell people to NOT report a vulnerability on a public issue.

krassowski
krassowski reviewed Mar 21, 2024
View reviewed changes
Copy link
Member

@krassowski krassowski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In rare instances if someone does not have/want to use a GitHub account, is there a monitored email address they could send the vulnerability disclosure to? It is not strictly necessary but nice to have, conditional on someone actually monitoring such a mailbox.

SECURITY.md Outdated Show resolved Hide resolved
@dcmcand @krassowski
Update SECURITY.md
72ff6f9 
Co-authored-by: Michał Krassowski <5832902+krassowski@users.noreply.github.com>
@dcmcand
Copy link
Contributor Author

dcmcand commented Mar 21, 2024

In rare instances if someone does not have/want to use a GitHub account, is there a monitored email address they could send the vulnerability disclosure to? It is not strictly necessary but nice to have, conditional on someone actually monitoring such a mailbox.

There is not one that I am aware of.

@dcmcand
Copy link
Contributor Author

dcmcand commented Mar 21, 2024

Thanks @marcelovilla and @krassowski, I added both of your changes

@dcmcand dcmcand merged commit f1e37c2 into develop Mar 21, 2024
1 of 2 checks passed
@dcmcand dcmcand deleted the dcmcand-patch-1 branch March 21, 2024 12:43
@viniciusdc viniciusdc added this to the 2024.3.3 milestone Mar 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@krassowski krassowski krassowski left review comments

@marcelovilla marcelovilla marcelovilla approved these changes

@Adam-D-Lewis Adam-D-Lewis Awaiting requested review from Adam-D-Lewis

@viniciusdc viniciusdc Awaiting requested review from viniciusdc

Assignees
No one assigned
Labels
None yet
Projects
🪴 Nebari Project Management
Archived in project
Milestone
2024.3.3
Development

Successfully merging this pull request may close these issues.
4 participants
@dcmcand @krassowski @marcelovilla @viniciusdc