New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to handle vulnerability disclosure? #20
Comments
That's an excellent point, and not something that has ever come up. It's probably worth defining outside of the context of our open source policy, but it certainly relates here. Definitely something I'd like to hear @NoahKunin's thoughts on. |
I agree it's a more general question. The part that touches the open source policy is in describing how someone can satisfy the policy, remediate a problem, and not inadvertently disclose. |
FWIW, I've tried to outline a process here: https://alexgaynor.net/2013/oct/19/security-process-open-source-projects/ this describes effectively what Django's process is; approximately the same material in talk form: http://www.heavybit.com/library/video/2014-10-14-alex-gaynor |
👍 Pinging @NoahKunin again. |
Something like a security.txt in the repo (and the site if it is/has one)? |
Disclosure policy: |
The Practice document should probably prescribe some policy for handling undisclosed security vulnerabilities. I can offer Fedora's policy, and Red Hat's process, but you have many options.
Maybe in the Practice document, or in another document about software development practices generally, I'd think about who's responsible for maintaining CVEs (if those are necessary), how one should organize a security response in general, and how you communicate remediations to the user base.
I'm sure your DAA would have opinions about all of this.
The text was updated successfully, but these errors were encountered: