New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Documentation: Add notices about reporting security flaws #15260
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you! I think it looks good, not approving for now, I'll wait for the opinion of others.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not use and mention Github's Security Advisories functionality?
I think the policy file must be in the markdown format then, using a .md
suffix.
I'd prefer mentioning this as the first option and contacting us via mail as the second one.
Even that I totally agree on responsible disclosure, the current phrasing sounds a bit harsh to me, could be understand like we want to hide reported vulnerability issues.
I think a mix between this text and e.g. https://github.com/electron/electron/blob/main/SECURITY.md would be great.
Thanks for your feedback and suggestions. I will adjust the files and content as you suggested. If you want to bring it in early, feel free to take over. |
bbb7858
to
fca7a20
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd add the SECURITY.md
to https://github.com/crate/.github to have it enabled in all repositories.
And I'd also prefer the wording of https://github.com/electron/electron/blob/main/SECURITY.md
fca7a20
to
5d6ffe3
Compare
Hi again. I've updated the patch according to your suggestions, and will also prepare a similar one for https://github.com/crate/.github. Let me know about any kinds of wording adjustments you would like to see. 🙇 |
Other than the Ours: https://github.com/crate/crate-python/security/advisories/new |
About
This patch follows the suggestion by @Tu0Laj1 at 1, in order to improve the guidance about reporting security flaws.
TheTheSECURITY.rst
file has been derived from 2.SECURITY.md
file has been derived from 3, as suggested on the review of the patch.Footnotes
https://community.cratedb.com/t/mitigations-for-reported-vulnerability/1676/7 ↩
https://github.com/dec0dOS/amazing-github-template/blob/main/%7B%7Bcookiecutter.repo_slug%7D%7D/docs/SECURITY.md ↩
https://github.com/electron/electron/blob/main/SECURITY.md ↩