doc: add minimal SECURITY.md template #1588
Conversation
|
@bensternthal could you please add it to the agenda? |
There was a problem hiding this comment.
Shouldn't this document reference https://github.com/openjs-foundation/cross-project-council/blob/main/PROJECT_SECURITY_REPORTING.md, with the new one you'r creating? Or could they be merged?
That document seems too specific to vulnerability reporting; of course, they overlap as we must mention how to report vulnerabilities on SECURITY.md. In other words, I think they could be merged, yes, but it's not necessary. |
|
To @bjohansebas's point above, shouldn't we structure this like we've structured CoC handling?
|
|
We have briefly discussed this in the security-collab-space, and it seems there is an objection against those redirects. I don't have a strong opinion on this to be honest, so I'll defer this to the next CPC meeting. |
|
Would you mind sharing what the objections are? (Not that I want to dispute them, just that it's useful information to have.) |
|
"objection" is a strong word 😅 the issue is that the single most important thing in this document is the instructions for privately reporting security issues, which is going to vary from project to project there are other aspects as well, such as categories of things that a project will not consider to be a vulnerability, response expectations, report handling and coordination, etc. ultimately, projects need to be thinking about how they handle security reporting. it's great that we provide them a template but it will always need to be modified to fit project needs and operating procedures |
Co-authored-by: Ulises Gascón <ulisesgascongonzalez@gmail.com> Signed-off-by: Rafael Gonzaga <rafael.nunu@hotmail.com>
ctcpip
force-pushed
the
add-minimal-security-md
branch
from
5f8a098 to
7c2e004
Compare
* docs: include CNA Escalation in the security policy References: - openjs-foundation/cross-project-council#1588 - https://openjsf.org/blog/openjs-foundation-cna * chore: rewording
|
Notes from this week's CPC call: This was discussed in the CPC Call today. Decision was made to follow the initial route and not use the same structure as the code of conduct as I suggested above. Goal is to merge by end of week to unblock related work. |
Updated the security policy to include detailed reporting guidelines and escalation procedures for vulnerabilities. Ref: openjs-foundation/cross-project-council#1588
* docs: revise security reporting guidelines and escalation process ref: openjs-foundation/cross-project-council#1588 * docs: remove emails from sec policy
PR-URL: #59806 Refs: openjs-foundation/cross-project-council#1588 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: #59806 Refs: openjs-foundation/cross-project-council#1588 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: #59806 Refs: openjs-foundation/cross-project-council#1588 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Refs: openjs-foundation/security-collab-space#290