-
Notifications
You must be signed in to change notification settings - Fork 400
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update SECURITY.md with a process #716
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good step forward
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good proposal. Just some nits on details
SECURITY.md
Outdated
- Once a security report is received, the core development team works to verify the issue. | ||
- Patches are prepared for eligible releases in private repositories. | ||
- We notify the community that a security release is coming, to give users time to prepare their systems for the update. Notifications can include Discord messages, tweets, and emails to partners and validators. | ||
- 24 hours following this notification, the fixes are applied publicly and new releases are issued. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should be very sensible if this 24h make sense in our context. It may take much longer for chains to test and coordinate a software upgrade. They would be vulnerable within this period.
How would the advisories project fit into this process? It can be placed between patch and public announcement to give them some lead time.
Much of this was originally in CosmWasm/cw-plus#581
I think I addressed all concerns. Please let me know if there is more to do. |
11aa981
to
747a4ad
Compare
@webmaster128 can I get another review here? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
Add SECURITY text inspired by @elsehow
Much of this was originally in CosmWasm/cw-plus#581
Happy if @alpe and/or @webmaster128 can double check the process defined.