From c40c7f661aa377af608263e1b3fb792f557a76c6 Mon Sep 17 00:00:00 2001 From: Stephen Augustus Date: Wed, 3 Jul 2024 02:00:41 -0400 Subject: [PATCH 1/4] SECURITY: Revert to default OpenSSF security policy Signed-off-by: Stephen Augustus --- SECURITY.md | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 65b40899abb..7ab6a51f03a 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,11 +1,24 @@ # Reporting Security Issues -To report a security issue, please email -[oss-security@googlegroups.com](mailto:oss-security@googlegroups.com) -with a description of the issue, the steps you took to create the issue, -affected versions, and, if known, mitigations for the issue. - -Our vulnerability management team will respond within 3 working days of your -email. If the issue is confirmed as a vulnerability, we will open a -Security Advisory and acknowledge your contributions as part of it. This project -follows a 90 day disclosure timeline. + + +Per the [Linux Foundation Vulnerability Disclosure Policy](https://www.linuxfoundation.org/security), +if you find a vulnerability in a project maintained by the Open Source Security +Foundation (OpenSSF), please report that directly to the project maintaining +that code, preferably using GitHub's [Private Vulnerability Reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). + +If you've been unable to find a way to report it, or have received no response +after repeated attempts, please contact the OpenSSF security contact email, +[security@openssf.org](mailto:security@openssf.org). From 211c2c0f5df4e69b5a5260e083c98c594c6f83b5 Mon Sep 17 00:00:00 2001 From: Stephen Augustus Date: Wed, 3 Jul 2024 15:44:29 -0400 Subject: [PATCH 2/4] SECURITY: Update policy to better describe disclosure and remediation Signed-off-by: Stephen Augustus --- SECURITY.md | 75 ++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 51 insertions(+), 24 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 7ab6a51f03a..03b0e1ccbda 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,24 +1,51 @@ -# Reporting Security Issues - - - -Per the [Linux Foundation Vulnerability Disclosure Policy](https://www.linuxfoundation.org/security), -if you find a vulnerability in a project maintained by the Open Source Security -Foundation (OpenSSF), please report that directly to the project maintaining -that code, preferably using GitHub's [Private Vulnerability Reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). - -If you've been unable to find a way to report it, or have received no response -after repeated attempts, please contact the OpenSSF security contact email, -[security@openssf.org](mailto:security@openssf.org). +# OpenSSF Scorecard Security Policy + +This document outlines security procedures and general policies for the +OpenSSF Scorecard project. + +- [Disclosing a security issue](#disclosing-a-security-issue) +- [Vulnerability management](#vulnerability-management) +- [Suggesting changes](#suggesting-changes) + +## Disclosing a security issue + +The OpenSSF Scorecard maintainers take all security issues in the project +seriously. Thank you for improving the security of OpenSSF Scorecard. We +appreciate your dedication to responsible disclosure and will make every effort +to acknowledge your contributions. + +OpenSSF Scorecard leverages GitHub's private vulnerability reporting. + +To learn more about this feature and how to submit a vulnerability report, +review [GitHub's documentation on private reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability). + +Here are some helpful details to include in your report: + +- a detailed description of the issue +- the steps required to reproduce the issue +- versions of the project that may be affected by the issue +- if known, any mitigations for the issue + +A maintainer will acknowledge the report within 72 hours, and will send a more +detailed response within an additional 72 hours indicating the next steps in +handling your report. After the initial reply to your report, the maintainers +will endeavor to keep you informed of the progress towards a fix and full +announcement, and may ask for additional information or guidance. + +## Vulnerability management + +When the maintainers receive a disclosure report, they will assign it to a +primary handler. + +This person will coordinate the fix and release process, which involves the +following steps: + +- confirming the issue +- determining affected versions of the project +- auditing code to find any potential similar problems +- preparing fixes for all releases under maintenance + +## Suggesting changes + +If you have suggestions on how this process could be improved please submit an +issue or pull request. From 1a8adee4ebc49970ec92a148280b3ea87ea25b24 Mon Sep 17 00:00:00 2001 From: Stephen Augustus Date: Wed, 3 Jul 2024 16:34:29 -0400 Subject: [PATCH 3/4] SECURITY: Reference LF policy and add fallback security contact Signed-off-by: Stephen Augustus --- SECURITY.md | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 03b0e1ccbda..62a1dcee315 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -3,6 +3,9 @@ This document outlines security procedures and general policies for the OpenSSF Scorecard project. +This policy adheres to the [vulnerability management guidance](https://www.linuxfoundation.org/security) +for Linux Foundation projects. + - [Disclosing a security issue](#disclosing-a-security-issue) - [Vulnerability management](#vulnerability-management) - [Suggesting changes](#suggesting-changes) @@ -28,9 +31,15 @@ Here are some helpful details to include in your report: A maintainer will acknowledge the report within 72 hours, and will send a more detailed response within an additional 72 hours indicating the next steps in -handling your report. After the initial reply to your report, the maintainers -will endeavor to keep you informed of the progress towards a fix and full -announcement, and may ask for additional information or guidance. +handling your report. + +If you've been unable to successfully draft a vulnerability report via GitHub +or have not received a response during the alloted response window, please +reach out via the [OpenSSF security contact email](mailto:security@openssf.org). + +After the initial reply to your report, the maintainers will endeavor to keep +you informed of the progress towards a fix and full announcement, and may ask +for additional information or guidance. ## Vulnerability management From 31073057f6ac05d45558d5452e4088782a27fb2e Mon Sep 17 00:00:00 2001 From: Stephen Augustus Date: Wed, 3 Jul 2024 16:36:13 -0400 Subject: [PATCH 4/4] Apply suggestions from code review Co-authored-by: Spencer Schrock Signed-off-by: Stephen Augustus --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 62a1dcee315..6fc6db8379d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -20,7 +20,7 @@ to acknowledge your contributions. OpenSSF Scorecard leverages GitHub's private vulnerability reporting. To learn more about this feature and how to submit a vulnerability report, -review [GitHub's documentation on private reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability). +review [GitHub's documentation on private reporting](https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability). Here are some helpful details to include in your report: