Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SECURITY.md to guide security vulnerability reporting #11360

Open
wants to merge 7 commits into
base: develop
Choose a base branch
from
Open

Add SECURITY.md to guide security vulnerability reporting #11360

wants to merge 7 commits into from
+43 −0

Conversation

Ahlam-Banu
Copy link

Fixes #11324

Screenshots

No screenshots are required for this documentation change.

Testing strategy

Since this is a documentation-only change, there is no specific testing needed. However, I have ensured that all links within the SECURITY.md file are functional and correctly point to the intended destinations.

Type of change

  • ✅ Documentation (non-code change)

I'm happy to incorporate any feedback or adjustments the team might suggest.

@Ahlam-Banu
Create SECURITY.md
412517e 
Add SECURITY.md to guide security vulnerability reporting
@Ahlam-Banu
Merge branch 'develop' into develop
3e85faf
@droidmonkey
Update SECURITY.md
49ca21b 
added some more disclosure language
@droidmonkey
Copy link
Member

droidmonkey commented Oct 14, 2024
edited
Loading

@phoerious whatcha think?

@Ahlam-Banu I added some more language to the document, thank you

@Ahlam-Banu
Copy link
Author

Thank you for review this! appreciate the enhancements and glad I could assist, thanks again!

@phoerious
Copy link
Member

phoerious commented Oct 14, 2024
edited
Loading

Perhaps some examples for what are security vulnerabilites and what aren't? I don't want to get a host of "hey, when I inject a DLL into your app, I can read everything" reports.

The sentence about not reserving CVEs without our say-so cannot be overemphasised.

@droidmonkey
Copy link
Member

Good idea, and yeah still have CVE scars...

@Ahlam-Banu
Copy link
Author

I’ve updated the file to include:

  • some examples of what constitutes a security vulnerability and what doesn't.
  • highlighted the note about not reserving CVEs without approval.
    let me know incase of additional adjustments/modifcations, thanks!

@phoerious
Copy link
Member

There will be no SQL injection, because we don't do SQL.

@Ahlam-Banu
Copy link
Author

There will be no SQL injection, because we don't do SQL.

file is now updated accordingly :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@droidmonkey droidmonkey Awaiting requested review from droidmonkey

Assignees
No one assigned
Labels
documentation 📑
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Suggestion/Request to Add SECURITY.md to define a Security Policy
3 participants
@Ahlam-Banu @droidmonkey @phoerious