Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SECURITY.md #9804

Merged
merged 1 commit into from
Aug 2, 2021
Merged

Add SECURITY.md #9804

merged 1 commit into from
Aug 2, 2021

Conversation

marcdumais-work
Copy link
Contributor

What it does

As part of our project's periodic Eclipse Foundation progress review (1),
we are encouraged to add a security policy file, for our project. I went
with the miminal amount of information I thought was needed, not duplicating
info from the EF policy. It should be a good first step, I think.

In addition, I also modified the GitHub bug report issue template and PR
template, to make it clear they're not meant to be used to disclose security
vulnerabilities.

A nice side-effect of adding SECURITY.md is that GitHub automatically adds
an entry in our issue-submission page: "Report a security vulnerability",
that has a button "View Policy" that opens our policy.

There are some more seemingly nice GitHub project security features that
could be enabled for our repo/project (with webmaster's help). We can
consider them separately.

(1): https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/64

Fixes #8795

How to test

This is a non-functional change for the most part. To see the changes to the GH issue and PR templates "live", I have deployed this PR to the master branch of my fork:
https://github.com/marcdumais-work/theia/issues/new/choose

Review checklist

Reminder for reviewers

@vince-fugnitto vince-fugnitto added documentation issues related to documentation security issues related to security labels Jul 29, 2021
@marcdumais-work marcdumais-work mentioned this pull request Jul 29, 2021
1 task
@marcdumais-work
Copy link
Contributor Author

marcdumais-work commented Jul 29, 2021

What our "create new issue" page looks-like, with the PR deployed on my fork:
image

When you click on "View policy"
image

As part of our project's periodic Eclipse Foundation progress review (1),
we are encouraged to add a security policy file, for our project. I went
with the miminal amount of information I thought was needed, not duplicating
info from the EF policy. It should be a good first step, I think.

In addition, I also modified the GitHub bug report issue template and PR
template, to make it clear they're not meant to be used to disclose security
vulnerabilities.

A nice side-effect of adding SECURITY.md is that GitHub automatically adds
an entry in our issue-submission page: "Report a security vulnerability",
that has a button "View Policy" that opens our policy.

There are some more seemingly nice GitHub project security features that
could be enabled for our repo/project (with webmaster's help). We can
consider them separately.

(1): https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/64

Fixes #8795

Signed-off-by: Marc Dumais <[email protected]>
@marcdumais-work
Copy link
Contributor Author

@waynebeaton I am not sure we currently cover all aspects of the feedback you provided on the previous related PR. In particular:

[...] and what the team will do with the report.
[...] Describe the circumstances under which a CVE will be requested.

Could you please have a quick look at this PR and advise?

@marcdumais-work
Copy link
Contributor Author

@eclipse-theia FYI

Copy link
Member

@vince-fugnitto vince-fugnitto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes look good to me 👍
I'll let others provide feedback if necessary.

Copy link

@waynebeaton waynebeaton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@marcdumais-work
Copy link
Contributor Author

Thanks for the reviews - merging

@marcdumais-work marcdumais-work merged commit 2470421 into master Aug 2, 2021
@marcdumais-work marcdumais-work deleted the security_file branch August 2, 2021 15:14
@github-actions github-actions bot added this to the 1.17.0 milestone Aug 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation issues related to documentation security issues related to security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Adding a security policy to the repo
3 participants