-
Notifications
You must be signed in to change notification settings - Fork 488
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
SECURITY: Update policy to better describe disclosure and remediation
Signed-off-by: Stephen Augustus <[email protected]>
- Loading branch information
1 parent
c40c7f6
commit 211c2c0
Showing
1 changed file
with
51 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,24 +1,51 @@ | ||
# Reporting Security Issues | ||
|
||
<!-- TODO: Adapt any useful components from previous policy. | ||
- Where should issues be reported? | ||
- What goes in a report? | ||
- a description of the issue | ||
- the steps required to recreate the issue | ||
- affected versions | ||
- (if known) mitigations for the issue | ||
- What is the project's response time? | ||
- What happens next? | ||
- How are contributions acknowledged? | ||
- Is there a disclosure timeline? | ||
--> | ||
|
||
Per the [Linux Foundation Vulnerability Disclosure Policy](https://www.linuxfoundation.org/security), | ||
if you find a vulnerability in a project maintained by the Open Source Security | ||
Foundation (OpenSSF), please report that directly to the project maintaining | ||
that code, preferably using GitHub's [Private Vulnerability Reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). | ||
|
||
If you've been unable to find a way to report it, or have received no response | ||
after repeated attempts, please contact the OpenSSF security contact email, | ||
[[email protected]](mailto:[email protected]). | ||
# OpenSSF Scorecard Security Policy | ||
|
||
This document outlines security procedures and general policies for the | ||
OpenSSF Scorecard project. | ||
|
||
- [Disclosing a security issue](#disclosing-a-security-issue) | ||
- [Vulnerability management](#vulnerability-management) | ||
- [Suggesting changes](#suggesting-changes) | ||
|
||
## Disclosing a security issue | ||
|
||
The OpenSSF Scorecard maintainers take all security issues in the project | ||
seriously. Thank you for improving the security of OpenSSF Scorecard. We | ||
appreciate your dedication to responsible disclosure and will make every effort | ||
to acknowledge your contributions. | ||
|
||
OpenSSF Scorecard leverages GitHub's private vulnerability reporting. | ||
|
||
To learn more about this feature and how to submit a vulnerability report, | ||
review [GitHub's documentation on private reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability). | ||
|
||
Here are some helpful details to include in your report: | ||
|
||
- a detailed description of the issue | ||
- the steps required to reproduce the issue | ||
- versions of the project that may be affected by the issue | ||
- if known, any mitigations for the issue | ||
|
||
A maintainer will acknowledge the report within 72 hours, and will send a more | ||
detailed response within an additional 72 hours indicating the next steps in | ||
handling your report. After the initial reply to your report, the maintainers | ||
will endeavor to keep you informed of the progress towards a fix and full | ||
announcement, and may ask for additional information or guidance. | ||
|
||
## Vulnerability management | ||
|
||
When the maintainers receive a disclosure report, they will assign it to a | ||
primary handler. | ||
|
||
This person will coordinate the fix and release process, which involves the | ||
following steps: | ||
|
||
- confirming the issue | ||
- determining affected versions of the project | ||
- auditing code to find any potential similar problems | ||
- preparing fixes for all releases under maintenance | ||
|
||
## Suggesting changes | ||
|
||
If you have suggestions on how this process could be improved please submit an | ||
issue or pull request. |