Skip to content

Comments

docs: update security policy with private vulnerability reports info#3168

Merged
mergify[bot] merged 6 commits intomasterfrom
private-vulnerability-reports
Dec 12, 2022
Merged

docs: update security policy with private vulnerability reports info#3168
mergify[bot] merged 6 commits intomasterfrom
private-vulnerability-reports

Conversation

@galargh
Copy link
Member

@galargh galargh commented Nov 25, 2022

Description

This PR updates the security policy to encourage users to file security vulnerability reports through https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability

The private vulnerability reports will show up here: https://github.com/libp2p/rust-libp2p/security/advisories?state=triage
The maintainers will receive GitHub notification about new private vulnerability reports.

Notes

Links to any relevant issues

Open Questions

Change checklist

  • I have performed a self-review of my own code
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works
  • A changelog entry has been made in the appropriate crates

@galargh galargh requested review from mxinden and p-shahi November 25, 2022 11:19
mxinden
mxinden reviewed Nov 25, 2022
View reviewed changes
Copy link
Member

@mxinden mxinden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Thanks @galargh. I am assuming that this has been tested with a GitHub account that doesn't have any special permissions on the libp2p organization. Is that correct?

Would you mind updating the root README.md here as well?

rust-libp2p/README.md

Lines 16 to 18 in 5b4eab7

- For **security related issues** please reach out to security@libp2p.io. Please
do not file a public issue on GitHub.

@galargh
Copy link
Member Author

galargh commented Nov 25, 2022

Looks good to me. Thanks @galargh. I am assuming that this has been tested with a GitHub account that doesn't have any special permissions on the libp2p organization. Is that correct?

Yes! Not on this repo but I did test the flow where the user has no affiliation whatsoever with the target repository (using https://github.com/web3-bot and https://github.com/protocol/github-mgmt-template to be exact).

Would you mind updating the root README.md here as well?

Done! a9862ed

@mxinden
Copy link
Member

mxinden commented Nov 28, 2022

And could you include the update to the template below as well?

rust-libp2p/.github/ISSUE_TEMPLATE/bug_report.md

Line 8 in 5b4eab7

<!-- For security related issues please reach out to security@libp2p.io. Please do not file a public issue on GitHub. -->

@thomaseizinger
Copy link
Contributor

thomaseizinger commented Dec 12, 2022

Adding send-it label to mark that we want to merge this as soon as we have #3213 sorted.

@mergify mergify bot merged commit 63ffc7f into master Dec 12, 2022
@thomaseizinger thomaseizinger deleted the private-vulnerability-reports branch February 24, 2023 14:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mxinden mxinden mxinden left review comments

@jxs jxs jxs approved these changes

@thomaseizinger thomaseizinger thomaseizinger approved these changes

@p-shahi p-shahi Awaiting requested review from p-shahi

Assignees

No one assigned

Labels

send-it

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@galargh @mxinden @thomaseizinger @jxs