Skip to content

Commit

Permalink
Add SECURITY.md
Browse files Browse the repository at this point in the history
As part of our project's periodic Eclipse Foundation progress review (1),
we are encouraged to add a security policy file, for our project. I went
with the miminal amount of information I thought was needed, not duplicating
info from the EF policy. It should be a good first step, I think.

In addition, I also modified the GitHub bug report issue template and PR
template, to make it clear they're not meant to be used to disclose security
vulnerabilities.

A nice side-effect of adding SECURITY.md is that GitHub automatically adds
an entry in our issue-submission page: "Report a security vulnerability",
that has a button "View Policy" that opens our policy.

There are some more seemingly nice GitHub project security features that
could be enabled for our repo/project (with webmaster's help). We can
consider them separately.

(1): https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/64

Fixes #8795

Signed-off-by: Marc Dumais <[email protected]>
  • Loading branch information
marcdumais-work committed Jul 29, 2021
1 parent dece352 commit 1b54fb3
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 1 deletion.
6 changes: 5 additions & 1 deletion .github/ISSUE_TEMPLATE/bug_report.md
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
---
name: Bug Report
name: Bug Report (except security vulnerabilities)
about: Create a report to help us improve
---

<!-- Please provide a detailed description of the bug. -->
<!-- Note: This template is not meant for security vulnerabilities disclosure -->
<!-- Any such issue, created in this repo, will be deleted on sight -->
<!-- Instead please report vulnerabilities to the Eclipse Foundation's security team -->
<!-- For more details, please read SECURITY.md in the repository root -->
### Bug Description:

<!-- Please provide clear steps to reproduce the bug. -->
Expand Down
6 changes: 6 additions & 0 deletions .github/PULL_REQUEST_TEMPLATE.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,12 @@ the requirements below.
Contributors guide: https://github.com/theia-ide/theia/blob/master/CONTRIBUTING.md
-->

<!--
Note: Security vulnerabilities should not be disclosed on GitHub, through a PR or any
other means. See SECURITY.md at the root of this repository, to learn how to report
vulnerabilities.
-->

#### What it does
<!-- Include relevant issues and describe how they are addressed. -->

Expand Down
11 changes: 11 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Eclipse Theia Vulnerability Reporting Policy

If you think or suspect that you have discovered a new security vulnerability
in this project, please __do not__ disclose it on GitHub, e.g. in an issue, a
PR, or a discussion. Any such disclosure will be removed/deleted on sight, to
promote orderly disclosure, as per the Eclipse Foundation Security Policy (1).

Instead, please report any potential vulnerability to the Eclipse Foundation [Security Team](https://www.eclipse.org/security/).

(1) _Eclipse Foundation Vulnerability Reporting Policy_:
[https://www.eclipse.org/security/policy.php](https://www.eclipse.org/security/policy.php)

0 comments on commit 1b54fb3

Please sign in to comment.