Adding a security policy to the repo #8795
Labels
security
issues related to security
Comments
|
@marcdumais-work, can set up security policies in this repo? Does the Eclipse community have such a template that we can reuse as-is? |
|
If you want, I can help to write a draft CVD policy for the Theia repo. At the moment, Eclipse Foundation has a generic security policy, maybe we can adapt it to this repo. I suggest tracking Theia IDE security issues also using Github security advisories. |
@luigigubello I guess it depends what you have in mind exactly. I agree that currently it's not easy for a visitor to this repo, to find what to do, in case they found a security vulnerability. If you can propose a PR that helps with that, great. Theia is an Eclipse Foundation project, and they set the high-level security policy that we have to follow. So your draft should explicitly point-to and extend the Foundation's security policy, not try replace it. In case of doubt, I can have them have a look. sounds like a plan? |
Eclipse Foundation's security policy seems to be good, but I'm not clear how security issues are tracked at the moment. I mean, in the policy I read:
I think this point is really important, Github security advisories don't have to replace the Eclipse Foundation bug tracking, but they can be a user-friendly mirror. So, my question is: how are security issues tracked and disclosed at the moment? Both fixed and open bugs. I mean, I have this list: Security issues:
Is there a way to track them? (CVE or GH advisories or Eclipse Foundation bug ID, just be public) @marcdumais-work I will open a PR for suggesting a policy for this repo, it will be based on Eclipse Found. policy, but I think this project needs a better vulnerabilities tracking. Do you agree? Can we work together to improve this security process? :) |
marcdumais-work
added a commit
to marcdumais-work/theia
that referenced
this issue
Jul 29, 2021
Fixes eclipse-theia#8795 Signed-off-by: Marc Dumais <[email protected]>
marcdumais-work
added a commit
to marcdumais-work/theia
that referenced
this issue
Jul 29, 2021
Also modify bug report issue template to make it clear it's not to be used to report security vulnerabilities. Fixes eclipse-theia#8795 Signed-off-by: Marc Dumais <[email protected]>
marcdumais-work
added a commit
to marcdumais-work/theia
that referenced
this issue
Jul 29, 2021
Also modify bug report issue template to make it clear it's not to be used to report security vulnerabilities. Fixes eclipse-theia#8795 Signed-off-by: Marc Dumais <[email protected]>
marcdumais-work
added a commit
to marcdumais-work/theia
that referenced
this issue
Jul 29, 2021
Also modify bug report issue template to make it clear it's not to be used to report security vulnerabilities. Fixes eclipse-theia#8795 Signed-off-by: Marc Dumais <[email protected]>
marcdumais-work
added a commit
to marcdumais-work/theia
that referenced
this issue
Jul 29, 2021
Also modify bug report issue template to make it clear it's not to be used to report security vulnerabilities. Fixes eclipse-theia#8795 Signed-off-by: Marc Dumais <[email protected]>
marcdumais-work
added a commit
to marcdumais-work/theia
that referenced
this issue
Jul 29, 2021
Also modify bug report issue template to make it clear it's not to be used to report security vulnerabilities. Fixes eclipse-theia#8795 Signed-off-by: Marc Dumais <[email protected]>
marcdumais-work
added a commit
to marcdumais-work/theia
that referenced
this issue
Jul 29, 2021
Also modify bug report issue template to make it clear it's not to be used to report security vulnerabilities. Fixes eclipse-theia#8795 Signed-off-by: Marc Dumais <[email protected]>
marcdumais-work
added a commit
to marcdumais-work/theia
that referenced
this issue
Jul 29, 2021
Also modify bug report issue template to make it clear it's not to be used to report security vulnerabilities. Fixes eclipse-theia#8795 Signed-off-by: Marc Dumais <[email protected]>
marcdumais-work
added a commit
to marcdumais-work/theia
that referenced
this issue
Jul 29, 2021
Also modify bug report issue template to make it clear it's not to be used to report security vulnerabilities. Fixes eclipse-theia#8795 Signed-off-by: Marc Dumais <[email protected]>
marcdumais-work
added a commit
to marcdumais-work/theia
that referenced
this issue
Jul 29, 2021
Also modify bug report issue template to make it clear it's not to be used to report security vulnerabilities. Fixes eclipse-theia#8795 Signed-off-by: Marc Dumais <[email protected]>
marcdumais-work
added a commit
to marcdumais-work/theia
that referenced
this issue
Jul 29, 2021
Also modify bug report issue template to make it clear it's not to be used to report security vulnerabilities. Fixes eclipse-theia#8795 Signed-off-by: Marc Dumais <[email protected]>
marcdumais-work
added a commit
to marcdumais-work/theia
that referenced
this issue
Jul 29, 2021
Also modify bug report issue template to make it clear it's not to be used to report security vulnerabilities. Fixes eclipse-theia#8795 Signed-off-by: Marc Dumais <[email protected]>
marcdumais-work
added a commit
to marcdumais-work/theia
that referenced
this issue
Jul 29, 2021
Also modify bug report issue template to make it clear it's not to be used to report security vulnerabilities. Fixes eclipse-theia#8795 Signed-off-by: Marc Dumais <[email protected]>
marcdumais-work
added a commit
to marcdumais-work/theia
that referenced
this issue
Jul 29, 2021
Also modify bug report issue template to make it clear it's not to be used to report security vulnerabilities. Fixes eclipse-theia#8795 Signed-off-by: Marc Dumais <[email protected]>
marcdumais-work
added a commit
to marcdumais-work/theia
that referenced
this issue
Jul 29, 2021
Also modify bug report issue template to make it clear it's not to be used to report security vulnerabilities. Fixes eclipse-theia#8795 Signed-off-by: Marc Dumais <[email protected]>
marcdumais-work
added a commit
to marcdumais-work/theia
that referenced
this issue
Jul 29, 2021
Also modify bug report issue template and PR template to make it clear they're not to be used to disclose security vulnerabilities. Fixes eclipse-theia#8795 Signed-off-by: Marc Dumais <[email protected]>
marcdumais-work
added a commit
to marcdumais-work/theia
that referenced
this issue
Jul 29, 2021
Also modified the GitHub bug report issue template and PR template, to make it clear they're not to be used to disclose security vulnerabilities. Fixes eclipse-theia#8795 Signed-off-by: Marc Dumais <[email protected]>
marcdumais-work
added a commit
to marcdumais-work/theia
that referenced
this issue
Jul 29, 2021
As part of our periodic Eclipse Foundation project review (1), we are encouraged to add a security policy file, for our project. I went with the miminal amount of information I thought was needed, not duplicating info from the EF policy. It should be a good first step, I think. In addition, I also modified the GitHub bug report issue template and PR template, to make it clear they're not meant to be used to disclose security vulnerabilities. A nice side-effect of adding SECURITY.md is that GitHub automatically adds an entry in our issue-submission page: "Report a security vulnerability", that has a button "View Policy" that opens our policy. There are some more seemingly nice GitHub project security features that, could be enabled for our repo/project (with webmaster's help). We can consider them separately. (1): https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/64 Fixes eclipse-theia#8795 Signed-off-by: Marc Dumais <[email protected]>
marcdumais-work
added a commit
that referenced
this issue
Jul 29, 2021
As part of our project's periodic Eclipse Foundation progress review (1), we are encouraged to add a security policy file, for our project. I went with the miminal amount of information I thought was needed, not duplicating info from the EF policy. It should be a good first step, I think. In addition, I also modified the GitHub bug report issue template and PR template, to make it clear they're not meant to be used to disclose security vulnerabilities. A nice side-effect of adding SECURITY.md is that GitHub automatically adds an entry in our issue-submission page: "Report a security vulnerability", that has a button "View Policy" that opens our policy. There are some more seemingly nice GitHub project security features that could be enabled for our repo/project (with webmaster's help). We can consider them separately. (1): https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/64 Fixes #8795 Signed-off-by: Marc Dumais <[email protected]>
marcdumais-work
added a commit
to marcdumais-work/theia
that referenced
this issue
Jul 29, 2021
As part of our project's periodic Eclipse Foundation progress review (1), we are encouraged to add a security policy file, for our project. I went with the miminal amount of information I thought was needed, not duplicating info from the EF policy. It should be a good first step, I think. In addition, I also modified the GitHub bug report issue template and PR template, to make it clear they're not meant to be used to disclose security vulnerabilities. A nice side-effect of adding SECURITY.md is that GitHub automatically adds an entry in our issue-submission page: "Report a security vulnerability", that has a button "View Policy" that opens our policy. There are some more seemingly nice GitHub project security features that could be enabled for our repo/project (with webmaster's help). We can consider them separately. (1): https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/64 Fixes eclipse-theia#8795 Signed-off-by: Marc Dumais <[email protected]>
marcdumais-work
added a commit
that referenced
this issue
Aug 2, 2021
As part of our project's periodic Eclipse Foundation progress review (1), we are encouraged to add a security policy file, for our project. I went with the miminal amount of information I thought was needed, not duplicating info from the EF policy. It should be a good first step, I think. In addition, I also modified the GitHub bug report issue template and PR template, to make it clear they're not meant to be used to disclose security vulnerabilities. A nice side-effect of adding SECURITY.md is that GitHub automatically adds an entry in our issue-submission page: "Report a security vulnerability", that has a button "View Policy" that opens our policy. There are some more seemingly nice GitHub project security features that could be enabled for our repo/project (with webmaster's help). We can consider them separately. (1): https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/64 Fixes #8795 Signed-off-by: Marc Dumais <[email protected]>
dna2github
pushed a commit
to dna2fork/theia
that referenced
this issue
Aug 25, 2021
As part of our project's periodic Eclipse Foundation progress review (1), we are encouraged to add a security policy file, for our project. I went with the miminal amount of information I thought was needed, not duplicating info from the EF policy. It should be a good first step, I think. In addition, I also modified the GitHub bug report issue template and PR template, to make it clear they're not meant to be used to disclose security vulnerabilities. A nice side-effect of adding SECURITY.md is that GitHub automatically adds an entry in our issue-submission page: "Report a security vulnerability", that has a button "View Policy" that opens our policy. There are some more seemingly nice GitHub project security features that could be enabled for our repo/project (with webmaster's help). We can consider them separately. (1): https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/64 Fixes eclipse-theia#8795 Signed-off-by: Marc Dumais <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Feature Description:
Theia IDE Security Policy
Theia IDE is a popular open-source project, but it misses a policy for reporting vulnerabilities. I think it would be important for people who want to report a critical issue in the right way. In addition, I suggest tracking critical bugs in the Github security advisories section (e.g. Will issue #7954 receive a CVE?).
Thank you
Best regards
The text was updated successfully, but these errors were encountered: