-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add default SECURITY page for all OME repositories #1
Conversation
SECURITY.md
Outdated
|
||
The OME team and community take security bugs seriously. | ||
|
||
If you discover a security vulnerability or would like to report a security issue privately and securely, please email us at security@openmicroscopy.org. You can use GPG keys to communicate with us securely. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you link to the key?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense. We don't have a direct anchor to the website though? Or did you mean linking to a registry like https://pgp.key-server.io/pks/lookup?search=security%40openmicroscopy.org&fingerprint=on&op=vindex ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Anything that enables people to get the key directly, or to verify the fingerprint. AFAIK anyone can create a key with any email address so searching by email is insufficient.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Definitely can't trust the email address alone. I'd think a link to https://www.openmicroscopy.org/security/ (or potentially with an added anchor of #gpg-key
) would suffice.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See ca235e2
Co-Authored-By: Mark Carroll <m.t.b.carroll@dundee.ac.uk>
LGTM. I'd say let's get these in and let's see how it looks in production which we can then iterate on cf. https://github.com/amzn/.github/blob/master/SECURITY.md ("Please do not create a public github issue.") Also of interest: https://github.com/EdOverflow/security-template/blob/master/.security.txt |
No description provided.