Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing security policy prevents a responsible disclosure in case a security vulnerability is discovered #1011

Open
quapka opened this issue Dec 29, 2021 · 8 comments
Open

Missing security policy prevents a responsible disclosure in case a security vulnerability is discovered #1011

quapka opened this issue Dec 29, 2021 · 8 comments
Labels
enhancement Improvement of existing features or bugfix

Comments

@quapka
Copy link

quapka commented Dec 29, 2021

Is your feature request related to a problem? Please describe.
There is no security policy set up for this project. Also, searching for security in the documentation yields 0 results.

Describe the solution you'd like
A security policy is set up, e.g. using GitHub Security Advisory. Also when creating a new issue there should be an option to report a security vulnerability that links to the policy.

Describe alternatives you've considered
One can look for/guess e-mails of trusted maintainers, but that is far from a good practice.

Additional context
None.
@quapka quapka added the enhancement Improvement of existing features or bugfix label Dec 29, 2021
@quapka
Copy link
Author

quapka commented Jan 25, 2022

Hi folks, is there a problem in adding a security policy?

@tyranron
Copy link
Member

@quapka thanks for bringing this up! Sorry for late reply, this is because all the maintainers have low bandwidth to dedicate to this project.

We'll add the security policy closer to releasing 0.16 version.

@quapka
Copy link
Author

quapka commented Jan 26, 2022

I see, @tyranron. When is the release expected or is there a secure communication channel in the meantime? Adding a security policy should not actually take much time. 🙂

@tyranron
Copy link
Member

@quapka I guess for the moment, you may reach me or @LegNeato privately by the email address, specified in commits.

@LegNeato
Copy link
Member

LegNeato commented Jan 27, 2022
edited
Loading

I am personally a big fan of immediate public disclosure / radical transparency (I used to manage security updates for macOS and Firefox FWIW) but we haven't had a discussion between the maintainers about what we should do for juniper yet.

@quapka
Copy link
Author

quapka commented Jan 28, 2022

(I used to manage security updates for macOS and Firefox FWIW)

@LegNeato that is a resume worth mentioning IMHO.

It is the maintainers/code-owners decision how such issues should be handled. Simply coming as an outsider to a project it is nice to have the disclosure policy clear & explicit (say in README.md and in SECURITY.md ~ security policy, GitHub specific). Otherwise, it seems like it might not have been thought of, and filing an issue with security vulnerability might come as a surprise.

@sno2
Copy link

sno2 commented Sep 15, 2023
edited
Loading

Hello, who should I contact for security vulnerabilities with this organization? I tried messaging the owner of the crate, but he is currently serving in the Ukraine army and I want to make sure I contact the correct people.

@LegNeato
Copy link
Member

#1011 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Improvement of existing features or bugfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@LegNeato @quapka @tyranron @sno2