generated from ossf/project-template
-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Borrowing heavily from Scorecard. Signed-off-by: Ben Cotton <[email protected]>
- Loading branch information
1 parent
a0f7108
commit 89de076
Showing
1 changed file
with
58 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| # Open Source Project Security Baseline Policy | ||
|
|
||
| This document outlines security procedures and general policies for the | ||
| Open Source Project Security Baseline. | ||
|
|
||
| This policy adheres to the [vulnerability management guidance](https://www.linuxfoundation.org/security) | ||
| for Linux Foundation projects. | ||
|
|
||
| - [Disclosing a security issue](#disclosing-a-security-issue) | ||
| - [Vulnerability management](#vulnerability-management) | ||
| - [Suggesting changes](#suggesting-changes) | ||
|
|
||
| ## Disclosing a security issue | ||
|
|
||
| The OSPS Baseline maintainers take all security issues in the project | ||
| seriously. | ||
| We appreciate your dedication to responsible disclosure and will make every effort to acknowledge your contributions. | ||
|
|
||
| OSPS Baseline GitHub's private vulnerability reporting. | ||
| To learn more about this feature and how to submit a vulnerability report, | ||
| review [GitHub's documentation on private reporting](https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability). | ||
|
|
||
| Here are some helpful details to include in your report: | ||
|
|
||
| - a detailed description of the issue | ||
| - the steps required to reproduce the issue | ||
| - versions of the project that may be affected by the issue | ||
| - if known, any mitigations for the issue | ||
|
|
||
| A maintainer will acknowledge the report within three (3) business days, and | ||
| will send a more detailed response within an additional three (3) business days | ||
| indicating the next steps in handling your report. | ||
|
|
||
| If you've been unable to successfully draft a vulnerability report via GitHub | ||
| or have not received a response during the response window, please | ||
| contact [OpenSSF security contact email](mailto:[email protected]). | ||
|
|
||
| After the initial reply to your report, the maintainers will endeavor to keep | ||
| you informed of the progress towards a fix and full announcement, and may ask | ||
| for additional information or guidance. | ||
|
|
||
| ## Vulnerability management | ||
|
|
||
| When the maintainers receive a disclosure report, they will assign it to a | ||
| primary handler. | ||
|
|
||
| This person will coordinate the fix and release process, which involves the | ||
| following steps: | ||
|
|
||
| - confirming the issue | ||
| - determining affected versions of the project | ||
| - auditing code to find any potential similar problems | ||
| - preparing fixes for all releases under maintenance | ||
|
|
||
| ## Suggesting changes | ||
|
|
||
| If you have suggestions on how this process could be improved please submit an | ||
| issue or pull request. |