From 59fcab281ebfe8aa6ff6c3e0835f5cd3379b06ba Mon Sep 17 00:00:00 2001 From: Mark Sagi-Kazar Date: Mon, 19 Apr 2021 14:41:51 +0200 Subject: [PATCH 1/2] docs: initial security policy Signed-off-by: Mark Sagi-Kazar --- .github/SECURITY.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .github/SECURITY.md diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 00000000..9decd34e --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,24 @@ +# Security Policy + +## Reporting a vulnerability + +To report a vulnerability, send an email to [cncf-dex-maintainers@lists.cncf.io](mailto:cncf-dex-maintainers@lists.cncf.io) +detailing the issue and steps to reproduce. The reporter(s) can expect a +response within 48 hours acknowledging the issue was received. If a response is +not received within 48 hours, please reach out to any maintainer directly +to confirm receipt of the issue. + +## Review Process + +Once a maintainer has confirmed the relevance of the report, a draft security +advisory will be created on Github. The draft advisory will be used to discuss +the issue with maintainers, the reporter(s). +If the reporter(s) wishes to participate in this discussion, then provide +reporter Github username(s) to be invited to the discussion. If the reporter(s) +does not wish to participate directly in the discussion, then the reporter(s) +can request to be updated regularly via email. + +If the vulnerability is accepted, a timeline for developing a patch, public +disclosure, and patch release will be determined. The reporter(s) are expected +to participate in the discussion of the timeline and abide by agreed upon dates +for public disclosure. From bf8c35ad2d1d74ba95e3296f60f8cb98be62ca23 Mon Sep 17 00:00:00 2001 From: Mark Sagi-Kazar Date: Mon, 19 Apr 2021 14:47:21 +0200 Subject: [PATCH 2/2] docs: update readme linking to the security policy Signed-off-by: Mark Sagi-Kazar --- README.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 190ddf52..6ae2a7b0 100644 --- a/README.md +++ b/README.md @@ -102,13 +102,9 @@ All changes or deprecations of connector features will be announced in the [rele * Client libraries * [Go][go-oidc] -## Reporting a security vulnerability +## Reporting a vulnerability -Due to their public nature, GitHub and mailing lists are NOT appropriate places -for reporting vulnerabilities. - -Please email the [maintainers list](mailto:cncf-dex-maintainers@lists.cncf.io) to report issues that may -be security-related. +Please see our [security policy](.github/SECURITY.md) for details about reporting vulnerabilities. ## Getting help