Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SECURITY.md to guide security vulnerability reporting #11360

Merged
merged 9 commits into from
Oct 19, 2024
Merged

Add SECURITY.md to guide security vulnerability reporting #11360

merged 9 commits into from
Oct 19, 2024

Conversation

Ahlam-Banu
Copy link
Contributor

Fixes #11324

Screenshots

No screenshots are required for this documentation change.

Testing strategy

Since this is a documentation-only change, there is no specific testing needed. However, I have ensured that all links within the SECURITY.md file are functional and correctly point to the intended destinations.

Type of change

  • ✅ Documentation (non-code change)

I'm happy to incorporate any feedback or adjustments the team might suggest.

@Ahlam-Banu
Create SECURITY.md
412517e 
Add SECURITY.md to guide security vulnerability reporting
@Ahlam-Banu
Merge branch 'develop' into develop
3e85faf
@droidmonkey
Update SECURITY.md
49ca21b 
added some more disclosure language
@droidmonkey
Copy link
Member

droidmonkey commented Oct 14, 2024
edited
Loading

@phoerious whatcha think?

@Ahlam-Banu I added some more language to the document, thank you

@Ahlam-Banu
Copy link
Contributor Author

Thank you for review this! appreciate the enhancements and glad I could assist, thanks again!

@phoerious
Copy link
Member

phoerious commented Oct 14, 2024
edited
Loading

Perhaps some examples for what are security vulnerabilites and what aren't? I don't want to get a host of "hey, when I inject a DLL into your app, I can read everything" reports.

The sentence about not reserving CVEs without our say-so cannot be overemphasised.

@droidmonkey
Copy link
Member

Good idea, and yeah still have CVE scars...

@Ahlam-Banu
Copy link
Contributor Author

I’ve updated the file to include:

  • some examples of what constitutes a security vulnerability and what doesn't.
  • highlighted the note about not reserving CVEs without approval.
    let me know incase of additional adjustments/modifcations, thanks!

@phoerious
Copy link
Member

There will be no SQL injection, because we don't do SQL.

@Ahlam-Banu
Copy link
Contributor Author

There will be no SQL injection, because we don't do SQL.

file is now updated accordingly :)

@droidmonkey
Copy link
Member

There is no need to keep merging develop branch thank you!

@droidmonkey
Update SECURITY.md
a055041 
Final round of cleanup
@droidmonkey
Copy link
Member

Made a few cleanup edits, ready for publishing

@droidmonkey droidmonkey merged commit 95bae83 into keepassxreboot:develop Oct 19, 2024
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@droidmonkey droidmonkey droidmonkey approved these changes

Assignees
No one assigned
Labels
documentation 📑
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Suggestion/Request to Add SECURITY.md to define a Security Policy
3 participants
@Ahlam-Banu @droidmonkey @phoerious