Conversation
|
https://github.com/IntersectMBO/Open-Source-Office/security/advisories/new Please update to reflect this link within the revised Security policy. |
|
@ThatGuyLLC Please give some thoughts on this. |
@Emmanuel-Tyty @HarunJr can one of y'all audit this? |
HarunJr
left a comment
HarunJr
left a comment
There was a problem hiding this comment.
Thanks for putting this together! The updates look good.
I just caught one minor typo that exists in both of the templates. Other than that it looks good to me.
|
|
||
| 5. **Fixing Issue**: The team agrees on the fix, the announcement, and the release schedule with the reporter. If the reporter is not responsive in a reasonable time frame this should not block the team from moving to the next steps particularly in the face of a high impact or high severity issue. | ||
|
|
||
| a. **Mitigation**: Depending on the severity and criticity of the issue, the team can decide to disclose the issue publicly in the absence of a fix _if and only if_ a clear, simple, and effective mitigation plan is defined. This _must_ include instructions for users and operators of the software, and a time horizon at which the issue will be properly fixed (eg. version number). |
There was a problem hiding this comment.
On line 53. Change "Depending on the severity and [criticity] of the issue..." to "Depending on the severity and [criticality] of the issue..."
| If you discover a security vulnerability in xxxx, we encourage you to | ||
| responsibly disclose it to us. To report a vulnerability, please use | ||
| the [private reporting form on | ||
| GitHub](https://github.com/input-output-hk/mithril/security/advisories/new) |
|
|
||
| - A description of the vulnerability and its potential impact. | ||
| - Steps to reproduce the vulnerability. | ||
| - The version of `xxxx` package where the vulnerability exists. |
|
|
||
| ## Introduction | ||
|
|
||
| The Cardano open source project (xxx) is committed to ensuring the security of |
| ## Contact Information | ||
|
|
||
| To report a security vulnerability, please use [GitHub | ||
| form]((add project github form for your project)). Should you experience any issues reporting via GitHub or have other questions, Please contact [Security](security@intersectmbo.org). |
|
|
||
| 5. **Fixing Issue**: The team agrees on the fix, the announcement, and the release schedule with the reporter. If the reporter is not responsive in a reasonable time frame this should not block the team from moving to the next steps particularly in the face of a high impact or high severity issue. | ||
|
|
||
| a. **Mitigation**: Depending on the severity and criticity of the issue, the team can decide to disclose the issue publicly in the absence of a fix _if and only if_ a clear, simple, and effective mitigation plan is defined. This _must_ include instructions for users and operators of the software, and a time horizon at which the issue will be properly fixed (eg. version number). |
|
|
||
| This Security Vulnerability Disclosure Policy may be updated or | ||
| revised as necessary. Please check the latest version of this policy | ||
| on the [xxxx repository]((add link for your project)). |
|
|
||
| ## Conclusion | ||
|
|
||
| The xxxx project greatly appreciates the assistance of the security |
- Correct "criticity" typos in v1.0 and v1.1 templates - Add functional GitHub security advisory links to all policies - Update root SECURITY.md with project-specific reporting details
| ## Introduction | ||
|
|
||
| The Cardano open source project (xxx) is committed to ensuring the security of | ||
| {PROJECT-NAME} is committed to ensuring the security of |
There was a problem hiding this comment.
This is Open-Source-Office.
I would like this updated to match the repo. We can set up a separate DRAFT.md if needed to show the outline. This is likely more appropriate on Dev-ex, dev portal, and gitbook though.
There was a problem hiding this comment.
Understood. I'll move the entire security-policy-documents/ folder to the Dev-Ex repo where it belongs as a reusable template. This repo will keep a single root SECURITY.md, consistent with all other IntersectMBO repos.
There was a problem hiding this comment.
Maybe not the whole file. This is OSO owned. Additionally similar to other Intersect Repos you have a matching Security.md File. Maybe if you were to create a how to fill out the Template, there would be value. Admittedly though, I imagine updating Security.md to match the repo is quite the simple task that a developer of any skill level should be able to complete.
| ### Reporting a Vulnerability | ||
|
|
||
| If you discover a security vulnerability in xxxx, we encourage you to | ||
| If you discover a security vulnerability in {PROJECT-NAME}, we encourage you to |
| - A description of the vulnerability and its potential impact. | ||
| - Steps to reproduce the vulnerability. | ||
| - The version of `xxxx` package where the vulnerability exists. | ||
| - The version of {PROJECT-NAME} package where the vulnerability exists. |
| ## Conclusion | ||
|
|
||
| The xxxx project greatly appreciates the assistance of the security | ||
| The {PROJECT-NAME} project greatly appreciates the assistance of the security |
There was a problem hiding this comment.
Just realized this is the historical record, let's anonymize all of this. Or update Open-Source-Office. Pick one and ensure each document matches holistically. Thanks
| ## Contact Information | ||
|
|
||
| To report a security vulnerability, please use {SOMETHING}. Should you experience any issues reporting via GitHub or have other questions, please contact [security@intersectmbo.org](mailto:security@intersectmbo.org). | ||
| To report a security vulnerability, please use the [security advisory form on GitHub](https://github.com/IntersectMBO/Open-Source-Office/security/advisories/new). Should you experience any issues reporting via GitHub or have other questions, please contact [security@intersectmbo.org](mailto:security@intersectmbo.org). |
There was a problem hiding this comment.
Does the email look better with the tail? Or simply as 'Security'?
There was a problem hiding this comment.
It's more explicit with the tail IMO, I'll use the full address format: [security@intersectmbo.org](mailto:security@intersectmbo.org).
| Please report (suspected) security vulnerabilities to security@intersectmbo.org. You will receive a | ||
| The preferred method for reporting a vulnerability is through the [security advisory form on GitHub](https://github.com/IntersectMBO/Open-Source-Office/security/advisories/new). | ||
|
|
||
| Alternatively, you can report (suspected) security vulnerabilities to security@intersectmbo.org. You will receive a |
There was a problem hiding this comment.
Is the email properly linked here?
| vulnerability, please mention them in your email but ***DO NOT*** attempt to include them as | ||
| attachments as this may cause your Email to be blocked by spam filters. | ||
|
|
||
| See the security file in the [Cardano engineering handbook](https://github.com/input-output-hk/cardano-engineering-handbook/blob/main/SECURITY.md). |
There was a problem hiding this comment.
Let's check this. I know that we still refer to CEH, but I am not confident that it has been updated with a Matching Security policy. Maybe this is a conversation you can pick up with @rober-m
There was a problem hiding this comment.
I'll remove the CEH reference, the root SECURITY.md is now based on v1.1 which is self-contained. I'll follow up with @rober-m separately to check whether the CEH SECURITY.md needs updating to align with this policy.
Replaces the minimal placeholder file with the complete v1.1 security disclosure policy, substituting Open-Source-Office throughout and fixing the email to a proper mailto link. Removes the stale Cardano Engineering Handbook cross-reference.
3 participants
List of changes