Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update SECURITY.md with a process #716

Merged
merged 2 commits into from
Mar 3, 2022
Merged

Update SECURITY.md with a process #716

merged 2 commits into from
Mar 3, 2022

Conversation

ethanfrey
Copy link
Member

Add SECURITY text inspired by @elsehow
Much of this was originally in CosmWasm/cw-plus#581

Happy if @alpe and/or @webmaster128 can double check the process defined.

@ethanfrey ethanfrey requested a review from alpe as a code owner January 5, 2022 09:55
@ethanfrey ethanfrey mentioned this pull request Jan 5, 2022
Closed
webmaster128
webmaster128 reviewed Jan 6, 2022
View reviewed changes
Copy link
Member

@webmaster128 webmaster128 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good step forward

SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
alpe
alpe reviewed Jan 18, 2022
View reviewed changes
Copy link
Contributor

@alpe alpe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good proposal. Just some nits on details

SECURITY.md Outdated
- Once a security report is received, the core development team works to verify the issue.
- Patches are prepared for eligible releases in private repositories.
- We notify the community that a security release is coming, to give users time to prepare their systems for the update. Notifications can include Discord messages, tweets, and emails to partners and validators.
- 24 hours following this notification, the fixes are applied publicly and new releases are issued.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should be very sensible if this 24h make sense in our context. It may take much longer for chains to test and coordinate a software upgrade. They would be vulnerable within this period.

How would the advisories project fit into this process? It can be placed between patch and public announcement to give them some lead time.

SECURITY.md Outdated Show resolved Hide resolved
@ethanfrey
Copy link
Member Author

I think I addressed all concerns. Please let me know if there is more to do.
And we can release SECURITY.md in other repos that refer to this.

@ethanfrey
Copy link
Member Author

@webmaster128 can I get another review here?

webmaster128
webmaster128 approved these changes Mar 3, 2022
View reviewed changes
Copy link
Member

@webmaster128 webmaster128 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

alpe
alpe approved these changes Mar 3, 2022
View reviewed changes
Copy link
Contributor

@alpe alpe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@ethanfrey ethanfrey merged commit f35a13f into master Mar 3, 2022
@ethanfrey ethanfrey deleted the update-security-md branch March 3, 2022 20:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@elsehow elsehow elsehow left review comments

@alpe alpe alpe approved these changes

@webmaster128 webmaster128 webmaster128 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ethanfrey @alpe @webmaster128 @elsehow