-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SECURITY.md #8842
Add SECURITY.md #8842
Conversation
Adding a security policy to the Eclipse Theia repository, copied from Eclipse Vulnerability Reporting Policy. Signed-off-by: Luigi Gubello <[email protected]>
|
Hi @marcdumais-work, hi @svenefftinge /cc @vince-fugnitto 👋👋 I have contacted the Eclipse Foundation Security Team to understand how to assign CVE IDs to some public vulnerabilities of Thea IDE. They have replied so:
So, you can also use Github Security Advisories to track the security issues of the project 🎉 I think this feature can really help the community. In particular, about the CVE IDs, they have written:
So, on the Eclipse Foundation site, I see that you - @marcdumais-work and @svenefftinge - are the project leads. Can you report in Eclipse Bugzilla the known Theia vulnerabilities and assign them a unique CVE ID? I have created a list, but I'm not sure they are all the security issues missing a CVE ID: Vulnerabilities: Github issue: #8794 Github issue: #7954 Github issue: #7283 Github issue: #6987 Github issue: #6976 Cheers :) |
Hi, any news about this PR? |
@brianking I'd like to know if you have any comments on the repository including the |
cc: @waynebeaton |
One concern I have is that, for this file to be meaningful, it needs to be maintained, going forward. There's a lot of project info in that file, that's already available on our Eclipse Foundation project page, as well as Foundation's documentation related to security vulnerabilities. Potential compromise: link the content rather than copy it over. |
Having a project-specific security policy is a good idea. Copying the Eclipse Foundation's policy doesn't add value. Worse, it adds a liability as the vulnerability management policy does change from time-to-time. The project-specific security policy should describe how the project implements the foundation's security policy. It doesn't have to be particular complex. e.g., Note that you do NOT have to use Bugzilla to track vulnerability mitigation. Our current process requires that a member of the project team use Bugzilla to request a CVE. The project team can, for example, decide to use GitHub security advisories. |
Sorry for my late reply and thank you for your comments!
May it work? |
Please note that I've edited my previous comment to add an important "NOT" that was missing.
FWIW, the Eclipse Foundation is re-evaluating our process around assigning CVEs. We are, for example, exploring how we can more optimistically assign CVEs without necessarily waiting for the project team to make a formal request. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The short version is that I don't believe that copying the EF's security policy adds value. What would be useful, IMHO, is a pointer to the EF policy, and description of how vulnerabilities should be reported and what the team will do with the report.
e.g.,
Request that the reporter identify the specific versions that they are aware are affected, provide a concise description of the issue, a CWE, and other supporting information.
Describe the circumstances under which a CVE will be requested.
Any progress about this security issue: #8794? |
Hi @luigigubello , @waynebeaton , FYI, I have a new, alternate PR, that adds a security policy to the repo: I went with the essentials, taking inspiration from this PR here and the discussions above. |
Adding a security policy to the Eclipse Theia repository, copied from Eclipse Vulnerability Reporting Policy.
Signed-off-by: Luigi Gubello [email protected]
What it does
Adding a security policy to the repo. See also the discussion in issue #8795
How to test
Review checklist
Reminder for reviewers