Conversation
levinmr
previously approved these changes
Dec 11, 2024
Contributor
|
The only minor thing I see in here is that the GSA vulnerability disclosure policy is linked twice, and the links are slightly different. |
|
Having vulnerabilities reported directly to the Analytics.usa.gov/DAP team is not really a good idea. I have been in touch w/ the GSA VDP team. We may be able to get access to the VDP findings directly. Let me have some more time to work on this, please. |
Member
Author
Why not? @sfrederick-gsa-gov |
|
No GSA Vulnerability Reporting and Tracking. Without a dedicated team, things tend to get lost in the shuffle. |
levinmr
approved these changes
Dec 17, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Copied the boilerplateSECURITY.mdfile from the Allstar repo. I omitted the section about bug bounties since DAP doesn't participate in the bug bounty program. Although, that wouldn't be a bad idea...I decided not to follow the Allstar version's recommendation to route reporting through GSA's VDP. As far as I can tell, GSA will not give TTS development teams access to manage reports for their own properties in HackerOne. Also, I sent an email to gsa-vulnerability-reports@gsa.gov and haven't received a response. The GSA VDP feels like a black hole to me. If it proves itself otherwise, I'll consider updating this policy.
Fixes #139.