Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a security policy #1736

Merged
merged 2 commits into from
Mar 8, 2021
Merged

Add a security policy #1736

merged 2 commits into from
Mar 8, 2021

Conversation

glbrntt
Copy link
Contributor

@glbrntt glbrntt commented Jan 27, 2021

Motivation:

Security is hugely important to us and our users yet we don't provide
guidelines on how users should report vulnerabilities to us, nor any
commitments we make to resolve these issues.

Modifications:

  • Add SECURITY.md detailing how to report vulnerabilities and what
    happens when one is reported.

Result:

It's easier for users to report vulnerabilities to us.

@glbrntt glbrntt added the semver/none No version bump required. label Jan 27, 2021
@glbrntt glbrntt requested review from Lukasa and weissi January 27, 2021 14:04
@glbrntt glbrntt marked this pull request as draft January 27, 2021 14:04
weissi
weissi reviewed Jan 27, 2021
View reviewed changes
Copy link
Member

@weissi weissi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! This looks really good, left a few comments

SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Show resolved Hide resolved
Lukasa
Lukasa approved these changes Jan 27, 2021
View reviewed changes
Copy link
Contributor

@Lukasa Lukasa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM as a starting point

@glbrntt glbrntt marked this pull request as ready for review January 29, 2021 08:27
@glbrntt glbrntt requested a review from weissi January 29, 2021 08:28
weissi
weissi approved these changes Jan 29, 2021
View reviewed changes
Copy link
Member

@weissi weissi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thank you! Let's get @PeterAdams-A / @tomerd to have a look too

PeterAdams-A
PeterAdams-A reviewed Jan 29, 2021
View reviewed changes
Copy link
Contributor

@PeterAdams-A PeterAdams-A left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally OK I think. Added a couple of query comments.

SECURITY.md Show resolved Hide resolved
SECURITY.md

The SwiftNIO core team asks that known and suspected vulnerabilities be
privately and responsibly disclosed by emailing
[cve@forums.swift.org](mailto:cve@forums.swift.org) with the [details usually
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume you've checked this address is ok for us to use.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Who actually gets those mails?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume @tomerd -- but not certain

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the swift core team has access to this. we are considering creating such email alias for sswg projects which may be applicable here. cc @weissi

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, a NIO specific alias that posts to a private forums area would be great actually I think. WDYT other NIO devs?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tomerd is it possible to get a NIO-specific one? @Lukasa / @glbrntt are we waiting for this or can we just merge this PR (I'm in favour of merging now).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I reckon we use the sswg-security-reports one and merge. wdyt?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fine to merge now, we can always update later if/when we get a NIO specific one.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am somewhat uncomfortable with keeping these two addresses aliased together but that doesn't need to block the merge of this patch.

Copy link
Member

@tomerd tomerd Mar 8, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Lukasa @weissi @glbrntt this should be changes to sswg-security-reports (SSWG) which has more relevant people on it than cve@forums.swift.org (swift core team)

tomerd
tomerd reviewed Feb 3, 2021
View reviewed changes
SECURITY.md Outdated Show resolved Hide resolved
tomerd
tomerd reviewed Feb 3, 2021
View reviewed changes
SECURITY.md Outdated Show resolved Hide resolved
tomerd
tomerd approved these changes Feb 3, 2021
View reviewed changes
Copy link
Member

@tomerd tomerd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

very nice, added couple of comments

@glbrntt
Add a security policy
13fdc44 
Motivation:

Security is hugely important to us and our users yet we don't provide
guidelines on how users should report vulnerabilities to us, nor any
commitments we make to resolve these issues.

Modifications:

- Add SECURITY.md detailing how to report vulnerabilities and what
  happens when one is reported.

Result:

It's easier for users to report vulnerabilities to us.
@Lukasa Lukasa merged commit d781a7c into apple:main Mar 8, 2021
hassila pushed a commit to hassila/swift-nio that referenced this pull request Mar 26, 2021
@glbrntt @Lukasa @hassila
Add a security policy (apple#1736)
1dcee37 
Motivation:

Security is hugely important to us and our users yet we don't provide
guidelines on how users should report vulnerabilities to us, nor any
commitments we make to resolve these issues.

Modifications:

- Add SECURITY.md detailing how to report vulnerabilities and what
  happens when one is reported.

Result:

It's easier for users to report vulnerabilities to us.

Co-authored-by: Cory Benfield <lukasa@apple.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomerd tomerd tomerd approved these changes

@weissi weissi weissi approved these changes

@Lukasa Lukasa Lukasa approved these changes

@PeterAdams-A PeterAdams-A PeterAdams-A left review comments

Assignees
No one assigned
Labels
semver/none No version bump required.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@glbrntt @tomerd @weissi @Lukasa @PeterAdams-A