-
-
Notifications
You must be signed in to change notification settings - Fork 23.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docs: Add security policy #2908
Merged
Merged
Changes from all commits
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| # GitHub Readme Stats Security Policies and Procedures <!-- omit in toc --> | ||
|
|
||
| This document outlines security procedures and general policies for the | ||
| GitHub Readme Stats project. | ||
|
|
||
| - [Reporting a Vulnerability](#reporting-a-vulnerability) | ||
| - [Disclosure Policy](#disclosure-policy) | ||
|
|
||
| ## Reporting a Vulnerability | ||
|
|
||
| The GitHub Readme Stats team and community take all security vulnerabilities | ||
| seriously. Thank you for improving the security of our open source | ||
| software. We appreciate your efforts and responsible disclosure and will | ||
| make every effort to acknowledge your contributions. | ||
|
|
||
| Report security vulnerabilities by emailing the GitHub Readme Stats team at: | ||
|
|
||
| ``` | ||
| [email protected] | ||
| ``` | ||
|
|
||
| The lead maintainer will acknowledge your email within 24 hours, and will | ||
| send a more detailed response within 48 hours indicating the next steps in | ||
| handling your report. After the initial reply to your report, the security | ||
| team will endeavor to keep you informed of the progress towards a fix and | ||
| full announcement, and may ask for additional information or guidance. | ||
|
|
||
| Report security vulnerabilities in third-party modules to the person or | ||
| team maintaining the module. | ||
|
|
||
| ## Disclosure Policy | ||
|
|
||
| When the security team receives a security bug report, they will assign it | ||
| to a primary handler. This person will coordinate the fix and release | ||
| process, involving the following steps: | ||
|
|
||
| * Confirm the problem. | ||
| * Audit code to find any potential similar problems. | ||
| * Prepare fixes and release them as fast as possible. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Although having a security policy is a nice addition, and I understand why in high stake projects, security issues are communicated in private over email, I think for this project, it is enough to report security issues under https://github.com/anuraghazra/github-readme-stats/issues. However, if @anuraghazra is okay with having his email here, I'm okay with the merge.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest this email because it was already published inside
CODE_OF_CONDUCT.md, see: https://github.com/anuraghazra/github-readme-stats/blob/master/CODE_OF_CONDUCT.md#enforcementBut maybe it's really better to wait @anuraghazra's approve.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I asked @anuraghazra to review this. Just to be sure 👍🏻.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rickstaa Alternatively we can create separate email box with shared access between all GRS team members. May be it will be better because Anurag or any other member can be busy at work and unable to take attention on vulnerability report operatively. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@qwerty541 Given that @anuraghazra published the email himself (I checked the commit log), I think merging this is fine. @anuraghazra can always change or remove the email later 👍🏻.