Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add baseline security process #4

Merged
merged 4 commits into from
Jul 4, 2022

Conversation

SteveLasker
Copy link
Contributor

@SteveLasker SteveLasker commented Feb 17, 2022

Adds a baseline security process.
Note: Majority of the content copied from: https://github.com/helm/helm/blob/main/SECURITY.md

There are still a few todos

  • identify a security notifications email list
  • establish a set of maintainers of the Verasion project
  • establish a set of security maintainers - if these will be different
  • create a GOVERNANCE.md file, or redirect the link to ___

Signed-off-by: Steve Lasker stevenlasker@hotmail.com

Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
Copy link
Contributor

@thomas-fossati thomas-fossati left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing stuff Steve, thanks very much!

The one comment I have is about scope: since this is supposed to apply globally, I think we should create a github.com/veraison/policies repo and move this (and similarly scoped) content there. Then have each repo link the relevant bits.

SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
@SteveLasker SteveLasker modified the milestone: v1.0.0-RC1 Jul 1, 2022
Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
@SteveLasker SteveLasker marked this pull request as ready for review July 1, 2022 19:51
@SteveLasker
Copy link
Contributor Author

This is ready for review.
Generalization of changes:

  • References the github security process/tab
  • Added a private distribution list for public email, privately to a set of security maintainers
  • Changed from all of veraison to go-cose, as each sub-project will have its own security tab.

Copy link
Contributor

@thomas-fossati thomas-fossati left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks! I left a couple of comments inline.

SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
@SteveLasker
Copy link
Contributor Author

Thanks @thomas-fossati, I've updated all the feedback.

Copy link
Contributor

@thomas-fossati thomas-fossati left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚢 it!

@henkbirkholz
Copy link
Member

Well... wouldn't it be cooler, if we set ourselves a deadline, before which we must have reacted and such? You know, in support of responsible disclosure; at the same time warning about the consequences of "wild disclosure"? Or is that out-of-scope?

@henkbirkholz
Copy link
Member

Also, full disclosure, after at least two 3rd party code review would be a nice-to-have, so others can learn from mistakes made. Not sure, if we can guarantee the resources for that, though.

@thomas-fossati
Copy link
Contributor

Well... wouldn't it be cooler, if we set ourselves a deadline, before which we must have reacted and such? You know, in support of responsible disclosure; at the same time warning about the consequences of "wild disclosure"? Or is that out-of-scope?

In an ideal world, yes. In the real world it's too risky.

@thomas-fossati
Copy link
Contributor

Also, full disclosure, after at least two 3rd party code review would be a nice-to-have, so others can learn from mistakes made. Not sure, if we can guarantee the resources for that, though.

That's a good aspiration. However, as you also noted, we are not in a position to commit anyone outside the 1st party ring.

Copy link
Contributor

@yogeshbdeshpande yogeshbdeshpande left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you Steve! LGTM!
Great Job!

@SteveLasker
Copy link
Contributor Author

Thanks @yogeshbdeshpandec @thomas-fossati, @henkbirkholz

Great to see the finishings come together

@SteveLasker SteveLasker merged commit 877c58e into veraison:main Jul 4, 2022
@yogeshbdeshpande
Copy link
Contributor

Hmm working on a USA Holiday! Great stuff!

@SteveLasker SteveLasker deleted the security-advisories branch February 15, 2023 23:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants