-
Notifications
You must be signed in to change notification settings - Fork 643
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a security policy #1736
Add a security policy #1736
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you! This looks really good, left a few comments
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM as a starting point
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thank you! Let's get @PeterAdams-A / @tomerd to have a look too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally OK I think. Added a couple of query comments.
|
||
The SwiftNIO core team asks that known and suspected vulnerabilities be | ||
privately and responsibly disclosed by emailing | ||
[cve@forums.swift.org](mailto:cve@forums.swift.org) with the [details usually |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume you've checked this address is ok for us to use.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Who actually gets those mails?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume @tomerd -- but not certain
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the swift core team has access to this. we are considering creating such email alias for sswg projects which may be applicable here. cc @weissi
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, a NIO specific alias that posts to a private forums area would be great actually I think. WDYT other NIO devs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I reckon we use the sswg-security-reports one and merge. wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fine to merge now, we can always update later if/when we get a NIO specific one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am somewhat uncomfortable with keeping these two addresses aliased together but that doesn't need to block the merge of this patch.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
very nice, added couple of comments
Motivation: Security is hugely important to us and our users yet we don't provide guidelines on how users should report vulnerabilities to us, nor any commitments we make to resolve these issues. Modifications: - Add SECURITY.md detailing how to report vulnerabilities and what happens when one is reported. Result: It's easier for users to report vulnerabilities to us.
Motivation: Security is hugely important to us and our users yet we don't provide guidelines on how users should report vulnerabilities to us, nor any commitments we make to resolve these issues. Modifications: - Add SECURITY.md detailing how to report vulnerabilities and what happens when one is reported. Result: It's easier for users to report vulnerabilities to us. Co-authored-by: Cory Benfield <lukasa@apple.com>
Motivation:
Security is hugely important to us and our users yet we don't provide
guidelines on how users should report vulnerabilities to us, nor any
commitments we make to resolve these issues.
Modifications:
happens when one is reported.
Result:
It's easier for users to report vulnerabilities to us.