Merge pull request #167 from Ouranosinc/security-policy

add a security policy
Ouranosinc · Apr 23, 2024 · fe42b37 · fe42b37
2 parents 15f9641 + 53508fc
commit fe42b37
Show file tree

Hide file tree

Showing 7 changed files with 50 additions and 3 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -9,11 +9,15 @@ v0.6.0 (unreleased)
 
 Announcements
 ^^^^^^^^^^^^^
-* `miranda` boilerplate code is now versioned with `cruft <http://sddsd.sdss.sdsd>`_ and the `Ouranosinc/cookiecutter-pypackage <https://github.com/Ouranosinc/cookiecutter-pypackage>`_ template.
+* `miranda` boilerplate code is now versioned with `cruft <https://cruft.github.io/cruft>`_ and the `Ouranosinc/cookiecutter-pypackage <https://github.com/Ouranosinc/cookiecutter-pypackage>`_ template.
+
+Internal changes
+^^^^^^^^^^^^^^^^
+* `miranda` now has a security policy (`SECURITY.md`) for disclosing sensitive issues using secure communication channels. This has also been added to the documentation.
 
 v0.5.0 (2023-06-19)
 -------------------
-Contributors to this version: Juliette Lavoie (:user: `juliettelavoie`), Trevor James Smith (:user:`Zeitsperre`).
+Contributors to this version: Juliette Lavoie (:user:`juliettelavoie`), Trevor James Smith (:user:`Zeitsperre`).
 
 New features
 ^^^^^^^^^^^^

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,38 @@
+# Security Policy
+
+## Supported Versions
+
+`miranda` is in rapid development and receives regular updates every four to six (4-6) weeks. In the event of a security-related bug discovery soon after the release of an `miranda` version, the last supported version will receive a patch release.
+
+## Reporting a Vulnerability
+
+If you believe you have found a security vulnerability in `miranda`, we encourage you to let us know right away. We take all security vulnerabilities seriously and appreciate your efforts to responsibly disclose them.
+
+Please follow these steps to report a security vulnerability:
+
+1. **Email**: Email [github-support@ouranos.ca](mailto:github-support@ouranos.ca) with a detailed description of the vulnerability. If applicable, please include any steps or a proof-of-concept to help us understand and reproduce the issue.
+
+2. **Encryption (Optional)**: If you are concerned about the sensitivity of the information you are sharing, you can use the PGP key found below to encrypt your communication.
+
+3. **Response**: We will acknowledge your email within 48 hours and work with you to understand and confirm the vulnerability.
+
+4. **Fix and Disclosure**: Once the vulnerability is confirmed, we will work to address it promptly. We appreciate your patience as we investigate and implement a fix. Once resolved, we will coordinate the disclosure and provide credit to the reporter unless they prefer to remain anonymous.
+
+## PGP Encryption Key
+
+You can use the following PGP key to encrypt your communications with us:
+
+    -----BEGIN PGP PUBLIC KEY BLOCK-----
+
+    mDMEZamQrhYJKwYBBAHaRw8BAQdA+saPvmvr1MYe1nQy3n3QDcRE9T7UzTJ1XH31
+    EI4Zb6u0Mk91cmFub3MgR2l0SHViIFN1cHBvcnQgPGdpdGh1Yi1zdXBwb3J0QG91
+    cmFub3MuY2E+iJkEExYKAEEWIQSeAu+Cbjupx79jy9VeVFD6o5TVcwUCZamQrgIb
+    AwUJCWYBgAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRBeVFD6o5TVc4ho
+    AQDXjDkx0b3A7yl6PQ4hBJ2uYzw0UWbml7mUwVdhMmdZkQD/VJZQNWrCQeOtYEM8
+    icZJYwR/OsKFOWqlDytusGGtjwa4OARlqZCuEgorBgEEAZdVAQUBAQdAa41Zabjz
+    P9O+p6tI69Cnft6U5om3+qCcMo8amTqauH0DAQgHiH4EGBYKACYWIQSeAu+Cbjup
+    x79jy9VeVFD6o5TVcwUCZamQrgIbDAUJCWYBgAAKCRBeVFD6o5TVcwmaAQClDxW6
+    2gir7lhRXAcO+vmRImpGd29TrkcQVh+ak7VlwQEA706d7Kusiorlf/h8pLSoNMmS
+    kuLGmHpUJ8NVGppU+wo=
+    =wuxr
+    -----END PGP PUBLIC KEY BLOCK-----
diff --git a/docs/conf.py b/docs/conf.py
@@ -43,6 +43,7 @@
     "sphinx.ext.viewcode",
     "sphinx_codeautolink",
     "sphinx_copybutton",
+    "sphinx_mdinclude",
     "nbsphinx",
     "IPython.sphinxext.ipython_console_highlighting",
 ]
@@ -107,7 +108,7 @@
 # built documents.
 #
 # The short X.Y version.
-version = miranda.__version__
+version = miranda.__version__.split("-")[0]
 # The full version, including alpha/beta/rc tags.
 release = miranda.__version__
 

diff --git a/docs/index.rst b/docs/index.rst
@@ -11,6 +11,7 @@ Welcome to miranda's documentation!
    contributing
    authors
    changes
+   security
    license
 
 .. toctree::

diff --git a/docs/security.rst b/docs/security.rst
@@ -0,0 +1 @@
+.. mdinclude:: ../SECURITY.md
diff --git a/environment-docs.yml b/environment-docs.yml
@@ -13,4 +13,5 @@ dependencies:
   - sphinx-codeautolink
   - sphinx-copybutton
   - sphinx-intl
+  - sphinx-mdinclude
   - sphinxcontrib-napoleon
diff --git a/pyproject.toml b/pyproject.toml
@@ -75,6 +75,7 @@ docs = [
   "sphinx_codeautolink",
   "sphinx_copybutton",
   "sphinx-intl",
+  "sphinx-mdinclude",
   "sphinxcontrib-napoleon",
   "nbsphinx",
   "pandoc",