Add security disclosure policy section?
Closed this issue · 9 comments
I think it would be useful to add something along the lines of what docker has.
Security Disclosure
Security is very important to us. If you have any issue regarding security, please disclose the information responsibly by sending an email to xxx@xxx.com and not by creating a github issue.
There are more complex examples available, but I think something short and to the point is a great first step and easier to handle for small projects.
Does an average project need security disclosure policy? What do you think?
What would be the best security disclosure policy for an average project? Would that be to include contact email address?
A quick search reveals that it's not that common to include a security disclosure in the README. But that doesn't mean that it would be a bad practice.
I found this project to have a spot-on section about disclosing vulnerabilities.
Or should this be a part of the "contributing" section of the README? I like how this repo has just added their responsible disclosure program as a part of "how to contribute" section (although they're calling the section "Issue Reporting").
There was an interesting talk on this topic at dotSecurity a few weeks ago
but the videos are not yet online.
The bottom line was that it is important to make it easy to report security
issues and make the reporter feel safe in doing so, much in line with what
you linked in the second link.
As to whether it is something every little project needs, I think it is up
to the project maintainer, but I think that if it is in the template, then
they have to make a voluntary decision to remove it and in the process
think about something that may have not crossed their minds before.
On 17 May 2016 9:55 p.m., "Jesse Luoto" notifications@github.com wrote:
A quick search
https://github.com/search?p=2&q=security+disclosure+filename%3Areadme.md&type=Code&utf8=%E2%9C%93
reveals that it's not that common to include a security disclosure in the
README. But that doesn't mean that it would be a bad practice.I found this project
https://github.com/AwsGunForHire/aws-iot-device-sdk-dotnet to have a
spot-on section about disclosing vulnerabilities.—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#2 (comment)
Hi, I gave the talk that was mentioned above. I love the idea of adding a line about security to a README template! It does not need to be long or fancy, just make the points
- if you think you found a security vulnerability (i.e. no need to be 100% sure)
- please report privately like this (i.e. we are serious about this, there's a process--even if there's not actually one)
- thank you, we really appreciate your effort to protect our users (i.e. we won't sue you)
I'm afraid however that suggesting a public contact like a IRC channel would not inspire much trust, so maybe go for the email.
@FiloSottile I mentioned the IRC in the pull request, since you can send private messages to channel admins, which should be as secure as with traditional emails.
The reason I did not include email is, that exposing a public email address to the "wild" will increase the amount of spam in the inbox most definitely.
I agree it would probably be easiest for the vulneraility's reporter to just send a simple email. But I wouldn't want the average repository owner to worry about creating a new email just for the project so their own emails don't get spammed. So I'd suggest the "default" would be to encourage the channels the project is already using, whether it is slack, irc or mailing list.
What do you think?
Created PR #10 to tackle this issue. Please check and review if anything crucial was left out.
LGTM