Security disclosure and reporting guidelines

[coderanger]

balancedpayments.com has no clear instructions for how to report security issues or vulnerabilities. As prior art we can look at Django's guidelines and Alex Gaynor's general overview of the topic.

[mahmoudimus]

ping @dmdj03 @timnguyen can we prioritize this?

[dmdj03]

Topics:
What is Balanced’s security policy
How Balanced discloses security issues
How Balanced notifies customers
How to report security issues

[steveklabnik]

This is super important, is there anything I can do to help this along?

[steveklabnik]

We should certainly copy Django's policy basically verbatim, Our current page just links to a support page about it, is this going to be an actual page on the site now, or is it going to go there?

[steveklabnik]

Rails' is also pretty good http://rubyonrails.org/security

[steveklabnik]

Taking from Django and Rails:

Balanced’s development team is strongly committed to responsible reporting and disclosure of security-related issues. As such, we've developed a policy for handling security issues.

## Reporting security issues

Short version: please report security issues by emailing security@balancedpayments.com.

We generally accept bug reports via GitHub, but due to the sensitive nature of security issues, we ask that they not be publicly reported in this fashion.

Instead, if you believe you’ve found something in any of Balanced's products which has security implications, please send a description of the issue via email to security@balancedpayments.com. Mail sent to that address reaches a subset of the development team, limiting the exposure of the issue.

Once you’ve submitted an issue via email, you should receive an acknowledgment from a member of the Balanced development team within 48 hours, and depending on the action to be taken, you may receive further followup emails.

This process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it’s important that we follow the release process above to ensure that the disclosure is handled in a consistent manner.

## Encrypted email

If you want to send an encrypted email (optional), the public key ID for security@balancedpayments.com is KEY, and this public key is available from most commonly-used keyservers.

## Disclosure to Balanced customers

Our process for taking a security issue from private discussion to public disclosure involves multiple steps, and depends on which product has the issue.

If the API has an issue that does not affect client software, we will apply the relevant patches to the API, and deploy it.

If client libraries are affected, we will apply patches and release a new version to the relevant package managers (PyPI, Rubygems, etc).

Once the software is patched, we will post a public entry on the Balanced blog, describing the issue and its resolution in detail, pointing to the relevant patches and new releases, and crediting the reporter of the issue (if the reporter wishes to be publicly identified).

Additionally, if we have reason to believe that an issue reported to us affects other frameworks or tools in the various ecosystems we use, we may privately contact and discuss those issues with the appropriate maintainers, and coordinate our own disclosure and resolution with theirs.

With Rails, we also have a security-announcement only mailing list. We may want to do this, too?

[dmdj03]

[coderanger]

👍 🌟 😺

[steveklabnik]

Looks amazing! Let's do it.

[timnguyen]

w00t! +1

On Fri, Jan 3, 2014 at 5:24 PM, Steve Klabnik notifications@github.comwrote:

Looks amazing! Let's do it.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/100#issuecomment-31567525
.

---

NOTICE: This communication contains privileged or other confidential
information. If you have received it in error, please advise the sender by
reply email and immediately delete the message and any attachments without
copying or disclosing the contents. Thank you.

[mjallday]

@dmdj03 can you please provide the copy and also mark up the image with the various styles that will be used for implementation? e.g. balancedRed100, etc.

[dmdj03]