Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create a Security Policy #499

Merged
merged 2 commits into from
Mar 21, 2023
Merged

Create a Security Policy #499

merged 2 commits into from
Mar 21, 2023

Conversation

joycebrum
Copy link
Contributor

Closes #498

I’ve created the SECURITY.md file considering the report vulnerability through security advisory, which is a new github feature still in beta and that has to be enabled.

If you rather not enabling it there is also the possibility to receive the vulnerability report through an email, in this case just let me know which email it would be and I’ll submit the change.

Besides that feel free to edit or suggest any changes to this document, it is supposed to reflect the amount of effort the team can offer to handle vulnerabilities.

Copy link
Owner

@eliben eliben left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure what the 90 day disclosure is and how it applies here.

14 days would be better than 7

@joycebrum
Copy link
Contributor Author

The 90 days to disclosure is regarding the Public Vulnerability Disclosure, which is basically when the vulnerability will be made public to users know about it and work in their own remediations.

In github there is the Security Advisory which is used to do this public vulnerability disclosure.

AFAIK, there is some possible standard rules a project/org may adopt, which 90 days to disclosure is one of them:

  • until it is fixed;
  • until a certain amount of time has passed since a report was first submitted; (the 90 days for example)

According to tech target blog, most industry vendors, as well as Google's Project Zero team, recommend a 90-day deadline to fix a vulnerability before full public disclosure, with a seven-day requirement for critical security issues but fewer than seven days for critical vulnerabilities being actively exploited.

Let me know if you want to keep the 90 days of public disclosure or if you rather remove this part of the document and perhaps use the "until it is fixed" rule.

@eliben eliben merged commit 9e8cd29 into eliben:master Mar 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Create a Security Policy
2 participants