From 3f3854811a07f6eef87b4ef247ddacf7cfc16cc4 Mon Sep 17 00:00:00 2001 From: Stephen Augustus Date: Wed, 3 Jul 2024 16:58:58 -0400 Subject: [PATCH] :book: Update security policy to be specific to OpenSSF Scorecard (#4212) * SECURITY: Revert to default OpenSSF security policy * SECURITY: Update policy to better describe disclosure and remediation * SECURITY: Reference LF policy and add fallback security contact * Apply suggestions from code review --------- Signed-off-by: Stephen Augustus Signed-off-by: Stephen Augustus Co-authored-by: Spencer Schrock --- SECURITY.md | 67 ++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 58 insertions(+), 9 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 65b40899abb..6fc6db8379d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,11 +1,60 @@ -# Reporting Security Issues +# OpenSSF Scorecard Security Policy -To report a security issue, please email -[oss-security@googlegroups.com](mailto:oss-security@googlegroups.com) -with a description of the issue, the steps you took to create the issue, -affected versions, and, if known, mitigations for the issue. +This document outlines security procedures and general policies for the +OpenSSF Scorecard project. -Our vulnerability management team will respond within 3 working days of your -email. If the issue is confirmed as a vulnerability, we will open a -Security Advisory and acknowledge your contributions as part of it. This project -follows a 90 day disclosure timeline. +This policy adheres to the [vulnerability management guidance](https://www.linuxfoundation.org/security) +for Linux Foundation projects. + +- [Disclosing a security issue](#disclosing-a-security-issue) +- [Vulnerability management](#vulnerability-management) +- [Suggesting changes](#suggesting-changes) + +## Disclosing a security issue + +The OpenSSF Scorecard maintainers take all security issues in the project +seriously. Thank you for improving the security of OpenSSF Scorecard. We +appreciate your dedication to responsible disclosure and will make every effort +to acknowledge your contributions. + +OpenSSF Scorecard leverages GitHub's private vulnerability reporting. + +To learn more about this feature and how to submit a vulnerability report, +review [GitHub's documentation on private reporting](https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability). + +Here are some helpful details to include in your report: + +- a detailed description of the issue +- the steps required to reproduce the issue +- versions of the project that may be affected by the issue +- if known, any mitigations for the issue + +A maintainer will acknowledge the report within 72 hours, and will send a more +detailed response within an additional 72 hours indicating the next steps in +handling your report. + +If you've been unable to successfully draft a vulnerability report via GitHub +or have not received a response during the alloted response window, please +reach out via the [OpenSSF security contact email](mailto:security@openssf.org). + +After the initial reply to your report, the maintainers will endeavor to keep +you informed of the progress towards a fix and full announcement, and may ask +for additional information or guidance. + +## Vulnerability management + +When the maintainers receive a disclosure report, they will assign it to a +primary handler. + +This person will coordinate the fix and release process, which involves the +following steps: + +- confirming the issue +- determining affected versions of the project +- auditing code to find any potential similar problems +- preparing fixes for all releases under maintenance + +## Suggesting changes + +If you have suggestions on how this process could be improved please submit an +issue or pull request.