Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: update security policy with private vulnerability reports info #3168

Merged
merged 6 commits into from Dec 12, 2022
Merged

docs: update security policy with private vulnerability reports info #3168

merged 6 commits into from Dec 12, 2022

Conversation

galargh
Copy link
Contributor

@galargh galargh commented Nov 25, 2022

Description

This PR updates the security policy to encourage users to file security vulnerability reports through https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability

The private vulnerability reports will show up here: https://github.com/libp2p/rust-libp2p/security/advisories?state=triage
The maintainers will receive GitHub notification about new private vulnerability reports.

Notes

Links to any relevant issues

Open Questions

Change checklist

  • I have performed a self-review of my own code
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works
  • A changelog entry has been made in the appropriate crates

mxinden
mxinden reviewed Nov 25, 2022
View reviewed changes
Copy link
Member

@mxinden mxinden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Thanks @galargh. I am assuming that this has been tested with a GitHub account that doesn't have any special permissions on the libp2p organization. Is that correct?

Would you mind updating the root README.md here as well?

rust-libp2p/README.md

Lines 16 to 18 in 5b4eab7

- For **security related issues** please reach out to security@libp2p.io. Please
do not file a public issue on GitHub.

@galargh
Copy link
Contributor Author

galargh commented Nov 25, 2022

Looks good to me. Thanks @galargh. I am assuming that this has been tested with a GitHub account that doesn't have any special permissions on the libp2p organization. Is that correct?

Yes! Not on this repo but I did test the flow where the user has no affiliation whatsoever with the target repository (using https://github.com/web3-bot and https://github.com/protocol/github-mgmt-template to be exact).

Would you mind updating the root README.md here as well?

Done! a9862ed

@mxinden
Copy link
Member

mxinden commented Nov 28, 2022

And could you include the update to the template below as well?

rust-libp2p/.github/ISSUE_TEMPLATE/bug_report.md

Line 8 in 5b4eab7

<!-- For security related issues please reach out to security@libp2p.io. Please do not file a public issue on GitHub. -->

@thomaseizinger
Copy link
Contributor

Adding send-it label to mark that we want to merge this as soon as we have #3213 sorted.

@mergify mergify bot merged commit 63ffc7f into master Dec 12, 2022
@thomaseizinger thomaseizinger deleted the private-vulnerability-reports branch February 24, 2023 14:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mxinden mxinden mxinden left review comments

@jxs jxs jxs approved these changes

@thomaseizinger thomaseizinger thomaseizinger approved these changes

@p-shahi p-shahi Awaiting requested review from p-shahi

Assignees
No one assigned
Labels
send-it
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@galargh @mxinden @thomaseizinger @jxs