From 1b54fb3f2e8350daf3c868043ba557903ca36e04 Mon Sep 17 00:00:00 2001 From: Marc Dumais Date: Mon, 28 Jun 2021 12:32:51 -0400 Subject: [PATCH] Add SECURITY.md As part of our project's periodic Eclipse Foundation progress review (1), we are encouraged to add a security policy file, for our project. I went with the miminal amount of information I thought was needed, not duplicating info from the EF policy. It should be a good first step, I think. In addition, I also modified the GitHub bug report issue template and PR template, to make it clear they're not meant to be used to disclose security vulnerabilities. A nice side-effect of adding SECURITY.md is that GitHub automatically adds an entry in our issue-submission page: "Report a security vulnerability", that has a button "View Policy" that opens our policy. There are some more seemingly nice GitHub project security features that could be enabled for our repo/project (with webmaster's help). We can consider them separately. (1): https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/64 Fixes #8795 Signed-off-by: Marc Dumais --- .github/ISSUE_TEMPLATE/bug_report.md | 6 +++++- .github/PULL_REQUEST_TEMPLATE.md | 6 ++++++ SECURITY.md | 11 +++++++++++ 3 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 SECURITY.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 1d536a95138e1..200423b593801 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -1,9 +1,13 @@ --- -name: Bug Report +name: Bug Report (except security vulnerabilities) about: Create a report to help us improve --- + + + + ### Bug Description: diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 00b88a5e0767e..8e8ac443f1530 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -5,6 +5,12 @@ the requirements below. Contributors guide: https://github.com/theia-ide/theia/blob/master/CONTRIBUTING.md --> + + #### What it does diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000000..4b370bedb83c5 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,11 @@ +# Eclipse Theia Vulnerability Reporting Policy + +If you think or suspect that you have discovered a new security vulnerability +in this project, please __do not__ disclose it on GitHub, e.g. in an issue, a +PR, or a discussion. Any such disclosure will be removed/deleted on sight, to +promote orderly disclosure, as per the Eclipse Foundation Security Policy (1). + +Instead, please report any potential vulnerability to the Eclipse Foundation [Security Team](https://www.eclipse.org/security/). + +(1) _Eclipse Foundation Vulnerability Reporting Policy_: +[https://www.eclipse.org/security/policy.php](https://www.eclipse.org/security/policy.php)