Add baseline security process #4

SteveLasker · 2022-02-17T23:41:30Z

Adds a baseline security process.
Note: Majority of the content copied from: https://github.com/helm/helm/blob/main/SECURITY.md

There are still a few todos

identify a security notifications email list
establish a set of maintainers of the Verasion project
establish a set of security maintainers - if these will be different
create a GOVERNANCE.md file, or redirect the link to ___

Signed-off-by: Steve Lasker stevenlasker@hotmail.com

Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>

thomas-fossati

Amazing stuff Steve, thanks very much!

The one comment I have is about scope: since this is supposed to apply globally, I think we should create a github.com/veraison/policies repo and move this (and similarly scoped) content there. Then have each repo link the relevant bits.

SECURITY.md

Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>

SteveLasker · 2022-07-01T19:55:49Z

This is ready for review.
Generalization of changes:

References the github security process/tab
Added a private distribution list for public email, privately to a set of security maintainers
Changed from all of veraison to go-cose, as each sub-project will have its own security tab.

thomas-fossati

LGTM, thanks! I left a couple of comments inline.

SECURITY.md

Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>

SteveLasker · 2022-07-01T22:46:36Z

Thanks @thomas-fossati, I've updated all the feedback.

thomas-fossati

🚢 it!

henkbirkholz · 2022-07-02T08:29:12Z

Well... wouldn't it be cooler, if we set ourselves a deadline, before which we must have reacted and such? You know, in support of responsible disclosure; at the same time warning about the consequences of "wild disclosure"? Or is that out-of-scope?

henkbirkholz · 2022-07-02T08:32:06Z

Also, full disclosure, after at least two 3rd party code review would be a nice-to-have, so others can learn from mistakes made. Not sure, if we can guarantee the resources for that, though.

thomas-fossati · 2022-07-02T09:19:44Z

Well... wouldn't it be cooler, if we set ourselves a deadline, before which we must have reacted and such? You know, in support of responsible disclosure; at the same time warning about the consequences of "wild disclosure"? Or is that out-of-scope?

In an ideal world, yes. In the real world it's too risky.

thomas-fossati · 2022-07-02T09:22:05Z

Also, full disclosure, after at least two 3rd party code review would be a nice-to-have, so others can learn from mistakes made. Not sure, if we can guarantee the resources for that, though.

That's a good aspiration. However, as you also noted, we are not in a position to commit anyone outside the 1st party ring.

yogeshbdeshpande

Thank you Steve! LGTM!
Great Job!

SteveLasker · 2022-07-04T14:39:41Z

Thanks @yogeshbdeshpandec @thomas-fossati, @henkbirkholz

Great to see the finishings come together

yogeshbdeshpande · 2022-07-04T14:41:52Z

Hmm working on a USA Holiday! Great stuff!

Add baseline security process

cfd1ccf

Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>

shizhMSFT mentioned this pull request Feb 22, 2022

Missing processes for reporting security vulnerabilities #5

Closed

thomas-fossati reviewed Feb 23, 2022

View reviewed changes

SECURITY.md Outdated Show resolved Hide resolved

SECURITY.md Outdated Show resolved Hide resolved

SECURITY.md Outdated Show resolved Hide resolved

SECURITY.md Outdated Show resolved Hide resolved

SECURITY.md Outdated Show resolved Hide resolved

yogeshbdeshpande reviewed Feb 24, 2022

View reviewed changes