Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: Add security disclosure policy #1194

Merged
merged 3 commits into from
Mar 21, 2023
Merged

docs: Add security disclosure policy #1194

merged 3 commits into from
Mar 21, 2023

Conversation

orpheuslummis
Copy link
Contributor

@orpheuslummis orpheuslummis commented Mar 18, 2023
edited
Loading

Relevant issue(s)

Resolves #1205

Description

Rendered

Introduces a security disclosure policy for DefraDB, and more generally for the organization. This policy or other variations could be useful for other D2 projects. The rationale can be found on this doc: https://source.almanac.io/docs/security-disclosure-policy-80d5eb85cef6441a85827db6ccce0772?docView=Editing

Additional action items for the organization:

  • Creation of [email protected] hotline with someone or two responsible for quick response upon vulnerability disclosure
  • The aforementioned people to perform a practice drill of complete security vulnerability discovery lifecycle
  • Email is unsafe. Therefore, creation of secure channel for disclosure, for example PGP email for [email protected], or a Matrix address such as @security:source.network, etc.

Future tasks related to this will include:

  • Define a public policy for which exact versions of our systems we offer security support
  • Creation and maintenance of a Security hall of fame page

How has this been tested?

Humans

@orpheuslummis orpheuslummis added documentation Improvements or additions to documentation action/no-benchmark Skips the action that runs the benchmark. security Related to security labels Mar 18, 2023
@orpheuslummis orpheuslummis added this to the DefraDB v0.5 milestone Mar 18, 2023
@orpheuslummis orpheuslummis self-assigned this Mar 18, 2023
@orpheuslummis orpheuslummis marked this pull request as ready for review March 20, 2023 21:00
@orpheuslummis orpheuslummis requested a review from a team March 20, 2023 21:00
AndrewSisley
AndrewSisley approved these changes Mar 21, 2023
View reviewed changes
Copy link
Contributor

@AndrewSisley AndrewSisley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, and a good starting point. I'm approving but I'd suggest leaving this open for others to look at first :)

SECURITY.md Outdated Show resolved Hide resolved
@fredcarle
Copy link
Collaborator

Question: Was this produced based on some existing security disclosure policy elsewhere?

@orpheuslummis
Copy link
Contributor Author

Question: Was this produced based on some existing security disclosure policy elsewhere?

Yes, I looked at various ones (see included issue/discussion and document) and quite liked the Matrix one (lol) so it is very similar. https://matrix.org/security-disclosure-policy/ I'm not sure if it's worth mentionning that or having more differentiation?

jsimnz
jsimnz approved these changes Mar 21, 2023
View reviewed changes
Copy link
Member

@jsimnz jsimnz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Love it, simple and to the point. LGTM.

@jsimnz
Copy link
Member

jsimnz commented Mar 21, 2023

Unrelated: How the heck did this effect the code coverage, are markdown files somehow included?

@AndrewSisley
Copy link
Contributor

AndrewSisley commented Mar 21, 2023
edited
Loading

Unrelated: How the heck did this effect the code coverage, are markdown files somehow included?

P2P causes the code cov to bounce around a bit depending on the various concurrent elements that may or may not be hit on each test run.

@orpheuslummis orpheuslummis merged commit 990fad8 into develop Mar 21, 2023
@orpheuslummis orpheuslummis deleted the orpheus/docs/security-policy branch March 21, 2023 18:56
shahzadlone pushed a commit that referenced this pull request Apr 13, 2023
@orpheuslummis @shahzadlone
docs: Add security disclosure policy (#1194)
150c2a5
shahzadlone pushed a commit to shahzadlone/defradb that referenced this pull request Feb 23, 2024
@orpheuslummis
docs: Add security disclosure policy (sourcenetwork#1194)
ecc6808
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AndrewSisley AndrewSisley AndrewSisley approved these changes

@jsimnz jsimnz jsimnz approved these changes

Assignees

@orpheuslummis orpheuslummis

Labels
action/no-benchmark Skips the action that runs the benchmark. documentation Improvements or additions to documentation security Related to security
Projects
None yet
Milestone
DefraDB v0.5
Development

Successfully merging this pull request may close these issues.

Security policy
4 participants
@orpheuslummis @fredcarle @jsimnz @AndrewSisley