Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add security policy #2235

Merged
merged 5 commits into from Oct 2, 2019

Conversation

@Betree
Copy link
Member

commented Jul 12, 2019

Pay a reward, not a ransom.


Resolve #2375

This PR is a proposal for a security bounty policy, as discussed during our team retreat in Brussels.

It is inspired by other companies policies, such as the one from YesWeHack (that we may want to use at some point if we want to actively look for hunters).

When merged we should also create the special security@opencollective.com email to handle reports (except if a better alternative is suggested).

I've made an (arbitrary) proposal for bounty amounts, please review them and suggest others if you think they're not right.


Also related: opencollective/opencollective-frontend#2146 adds a standard security.txt on our website.

@Betree Betree requested review from znarf, xdamman, piamancini and alanna Jul 12, 2019
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
@Betree Betree force-pushed the security-policy branch from 9d7d898 to 282a2fb Sep 3, 2019
@Betree

This comment has been minimized.

Copy link
Member Author

commented Sep 3, 2019

I made the following changes to the policy:

  • Add instructions about how to go public
  • Add exploitability requirement

See related commits for detailed changes

@Betree

This comment has been minimized.

Copy link
Member Author

commented Sep 3, 2019

Added PGP public key for secure contact

@Betree Betree merged commit a37d01f into master Oct 2, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.