Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add initial security policy #5886

Merged
merged 4 commits into from
Mar 13, 2020
Merged

Add initial security policy #5886

merged 4 commits into from
Mar 13, 2020

Conversation

morgo
Copy link
Contributor

@morgo morgo commented Mar 3, 2020
edited
Loading

Fixes #5739

This is based on the Envoy security policy, with some simplifications for what I think makes sense for Vitess:

  • We don't currently have a product security team or a fix team (instead use maintainers and fix lead)
  • Fixes to master-only are handled less formally (courtesy email to list + developers notification)
  • There is no advanced disclosure to an embargoed list. We encourage users to seek maintainer nomination if this is important to their organization.

Feedback welcome of course!

Signed-off-by: Morgan Tocker [email protected]

@morgo
Add initial security policy
d4d2cf1 
Signed-off-by: Morgan Tocker <[email protected]>
@morgo morgo requested a review from sougou as a code owner March 3, 2020 15:33
pH14
pH14 reviewed Mar 5, 2020
View reviewed changes
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
@morgo
PR Feedback
9597f6a 
Signed-off-by: Morgan Tocker <[email protected]>
dkhenry
dkhenry reviewed Mar 6, 2020
View reviewed changes
SECURITY.md Outdated Show resolved Hide resolved
@morgo
Add other related circumstances
3c84f08 
Signed-off-by: Morgan Tocker <[email protected]>
dkhenry
dkhenry reviewed Mar 6, 2020
View reviewed changes
SECURITY.md Show resolved Hide resolved
dkhenry
dkhenry reviewed Mar 6, 2020
View reviewed changes
SECURITY.md Outdated

#### Policy for supported releases

If a security vulnerability affects supported branches (i.e. Vitess 5), then a Fix Lead will be appointed and the full security process as defined below will apply.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would remove the ( i.e. ) here. and change this to
If a security vulnerability affects currently supported branches
to prevent people from think Vitess 5 is a forever supported branch

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in e29d8f1 but there are a couple of places that needed to be updated. Please check to confirm!

@sougou sougou merged commit c0053b7 into vitessio:master Mar 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dkhenry dkhenry dkhenry left review comments

@pH14 pH14 pH14 approved these changes

@sougou sougou Awaiting requested review from sougou

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Create Security Disclosure Process (SECURITY.md)
4 participants
@morgo @dkhenry @pH14 @sougou