New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Security Policy #995
Add Security Policy #995
Conversation
docs/docs/community/security.md
Outdated
for the advisory so that you can join the discussion and validate any fixes | ||
we may propose. | ||
|
||
Once a fix has been agreed upon, we will merge the fix and create a new patch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this always be a patch release?
At some points master has so many PRs merged, it might be included in a minor or major release if those are the next around the corner unless we backport, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Erm, yeah, probably not, I'll drop the word patch
in this sentence
docs/docs/community/security.md
Outdated
|
||
:::important | ||
If you believe you have found a vulnerability within OAuth2 Proxy or any of its | ||
dependencies, please do NOT open an issue on GitHub, please do NOT post any |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Worth mentioning not to open a PR with a proposed fix either?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah good point, I'll update
|
||
### How will we respond to disclosures? | ||
|
||
We use [GitHub Security Advisories](https://docs.github.com/en/github/managing-security-vulnerabilities/about-github-security-advisories) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sometimes they are minor security nice to haves and we decide to use traditional public PRs to collaborate and merge the change.
Do we want to document that decision process of public vs security advisory PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure that's worth documenting other than, if the issue is minor, we may instead use the standard PR flow
, WDYT? What kind of thoughts were you thinking of documenting?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Description
This adds a security policy for the project to ensure the community understand how to report security vulnerabilities and how we will respond to them.
I have added this to the current and previous versioned docs.
Motivation and Context
We should have had one of these for a long time!
Fixes #31
How Has This Been Tested?
cd docs yarn start
Checklist: