Security disclosure and reporting guidelines #100

Closed
coderanger opened this Issue Oct 25, 2013 · 12 comments

Comments

Projects
None yet
7 participants
@coderanger

balancedpayments.com has no clear instructions for how to report security issues or vulnerabilities. As prior art we can look at Django's guidelines and Alex Gaynor's general overview of the topic.

@mahmoudimus

This comment has been minimized.

Show comment
Hide comment
@mahmoudimus

mahmoudimus Oct 25, 2013

Contributor

ping @dmdj03 @timnguyen can we prioritize this?

Contributor

mahmoudimus commented Oct 25, 2013

ping @dmdj03 @timnguyen can we prioritize this?

@dmdj03

This comment has been minimized.

Show comment
Hide comment
@dmdj03

dmdj03 Oct 29, 2013

Topics:
What is Balanced’s security policy
How Balanced discloses security issues
How Balanced notifies customers
How to report security issues

dmdj03 commented Oct 29, 2013

Topics:
What is Balanced’s security policy
How Balanced discloses security issues
How Balanced notifies customers
How to report security issues

@steveklabnik

This comment has been minimized.

Show comment
Hide comment
@steveklabnik

steveklabnik Nov 27, 2013

Contributor

This is super important, is there anything I can do to help this along?

Contributor

steveklabnik commented Nov 27, 2013

This is super important, is there anything I can do to help this along?

@dmdj03 dmdj03 referenced this issue in balanced/balanced-dashboard Dec 11, 2013

Closed

Add a security page linking from the security badge #102

@steveklabnik

This comment has been minimized.

Show comment
Hide comment
@steveklabnik

steveklabnik Dec 16, 2013

Contributor

We should certainly copy Django's policy basically verbatim, Our current page just links to a support page about it, is this going to be an actual page on the site now, or is it going to go there?

Contributor

steveklabnik commented Dec 16, 2013

We should certainly copy Django's policy basically verbatim, Our current page just links to a support page about it, is this going to be an actual page on the site now, or is it going to go there?

@steveklabnik

This comment has been minimized.

Show comment
Hide comment
@steveklabnik

steveklabnik Dec 16, 2013

Contributor

Rails' is also pretty good http://rubyonrails.org/security

Contributor

steveklabnik commented Dec 16, 2013

Rails' is also pretty good http://rubyonrails.org/security

@steveklabnik

This comment has been minimized.

Show comment
Hide comment
@steveklabnik

steveklabnik Dec 16, 2013

Contributor

Taking from Django and Rails:

Balanced’s development team is strongly committed to responsible reporting and disclosure of security-related issues. As such, we've developed a policy for handling security issues.

## Reporting security issues

Short version: please report security issues by emailing security@balancedpayments.com.

We generally accept bug reports via GitHub, but due to the sensitive nature of security issues, we ask that they not be publicly reported in this fashion.

Instead, if you believe you’ve found something in any of Balanced's products which has security implications, please send a description of the issue via email to security@balancedpayments.com. Mail sent to that address reaches a subset of the development team, limiting the exposure of the issue.

Once you’ve submitted an issue via email, you should receive an acknowledgment from a member of the Balanced development team within 48 hours, and depending on the action to be taken, you may receive further followup emails.

This process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it’s important that we follow the release process above to ensure that the disclosure is handled in a consistent manner.

## Encrypted email

If you want to send an encrypted email (optional), the public key ID for security@balancedpayments.com is KEY, and this public key is available from most commonly-used keyservers.

## Disclosure to Balanced customers

Our process for taking a security issue from private discussion to public disclosure involves multiple steps, and depends on which product has the issue.

If the API has an issue that does not affect client software, we will apply the relevant patches to the API, and deploy it.

If client libraries are affected, we will apply patches and release a new version to the relevant package managers (PyPI, Rubygems, etc).

Once the software is patched, we will post a public entry on the Balanced blog, describing the issue and its resolution in detail, pointing to the relevant patches and new releases, and crediting the reporter of the issue (if the reporter wishes to be publicly identified).

Additionally, if we have reason to believe that an issue reported to us affects other frameworks or tools in the various ecosystems we use, we may privately contact and discuss those issues with the appropriate maintainers, and coordinate our own disclosure and resolution with theirs.

With Rails, we also have a security-announcement only mailing list. We may want to do this, too?

Contributor

steveklabnik commented Dec 16, 2013

Taking from Django and Rails:

Balanced’s development team is strongly committed to responsible reporting and disclosure of security-related issues. As such, we've developed a policy for handling security issues.

## Reporting security issues

Short version: please report security issues by emailing security@balancedpayments.com.

We generally accept bug reports via GitHub, but due to the sensitive nature of security issues, we ask that they not be publicly reported in this fashion.

Instead, if you believe you’ve found something in any of Balanced's products which has security implications, please send a description of the issue via email to security@balancedpayments.com. Mail sent to that address reaches a subset of the development team, limiting the exposure of the issue.

Once you’ve submitted an issue via email, you should receive an acknowledgment from a member of the Balanced development team within 48 hours, and depending on the action to be taken, you may receive further followup emails.

This process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it’s important that we follow the release process above to ensure that the disclosure is handled in a consistent manner.

## Encrypted email

If you want to send an encrypted email (optional), the public key ID for security@balancedpayments.com is KEY, and this public key is available from most commonly-used keyservers.

## Disclosure to Balanced customers

Our process for taking a security issue from private discussion to public disclosure involves multiple steps, and depends on which product has the issue.

If the API has an issue that does not affect client software, we will apply the relevant patches to the API, and deploy it.

If client libraries are affected, we will apply patches and release a new version to the relevant package managers (PyPI, Rubygems, etc).

Once the software is patched, we will post a public entry on the Balanced blog, describing the issue and its resolution in detail, pointing to the relevant patches and new releases, and crediting the reporter of the issue (if the reporter wishes to be publicly identified).

Additionally, if we have reason to believe that an issue reported to us affects other frameworks or tools in the various ecosystems we use, we may privately contact and discuss those issues with the appropriate maintainers, and coordinate our own disclosure and resolution with theirs.

With Rails, we also have a security-announcement only mailing list. We may want to do this, too?

@dmdj03

This comment has been minimized.

Show comment
Hide comment

dmdj03 commented Jan 3, 2014

balanced_website_security

@coderanger

This comment has been minimized.

Show comment
Hide comment
@coderanger

coderanger Jan 3, 2014

👍 🌟 😺

👍 🌟 😺

@steveklabnik

This comment has been minimized.

Show comment
Hide comment
@steveklabnik

steveklabnik Jan 4, 2014

Contributor

Looks amazing! Let's do it.

Contributor

steveklabnik commented Jan 4, 2014

Looks amazing! Let's do it.

@timnguyen

This comment has been minimized.

Show comment
Hide comment
@timnguyen

timnguyen Jan 9, 2014

Contributor

w00t! +1

On Fri, Jan 3, 2014 at 5:24 PM, Steve Klabnik notifications@github.comwrote:

Looks amazing! Let's do it.


Reply to this email directly or view it on GitHubhttps://github.com/balanced/www.balancedpayments.com/issues/100#issuecomment-31567525
.


NOTICE: This communication contains privileged or other confidential
information. If you have received it in error, please advise the sender by
reply email and immediately delete the message and any attachments without
copying or disclosing the contents. Thank you.

Contributor

timnguyen commented Jan 9, 2014

w00t! +1

On Fri, Jan 3, 2014 at 5:24 PM, Steve Klabnik notifications@github.comwrote:

Looks amazing! Let's do it.


Reply to this email directly or view it on GitHubhttps://github.com/balanced/www.balancedpayments.com/issues/100#issuecomment-31567525
.


NOTICE: This communication contains privileged or other confidential
information. If you have received it in error, please advise the sender by
reply email and immediately delete the message and any attachments without
copying or disclosing the contents. Thank you.

@mjallday

This comment has been minimized.

Show comment
Hide comment
@mjallday

mjallday Jan 9, 2014

Contributor

@dmdj03 can you please provide the copy and also mark up the image with the various styles that will be used for implementation? e.g. balancedRed100, etc.

Contributor

mjallday commented Jan 9, 2014

@dmdj03 can you please provide the copy and also mark up the image with the various styles that will be used for implementation? e.g. balancedRed100, etc.

@dmdj03

This comment has been minimized.

Show comment
Hide comment

dmdj03 commented Jan 20, 2014

screen shot 2014-01-20 at 11 34 13 am

@ghost ghost assigned kyungmin Jan 20, 2014

@mjallday mjallday closed this in #156 Feb 3, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment