docs: Require all maintianers be involved in triaging sensitive bugs. #807
Conversation
Update CONTRIBUTING.md to include guidance that all maintainers be included in discussions of security senstive bugs and questions. The goal of triaging these issuses is to gain concensus and that cannot be done without input from all maintainers. Signed-off-by: Philip Tricca <[email protected]>
flihp
force-pushed
the
CONTRIBUTING-sec-consensus
branch
from
b1d9192
to
c307d4a
Compare
Codecov Report
@@ Coverage Diff @@
## master #807 +/- ##
=======================================
Coverage 79.63% 79.63%
=======================================
Files 32 32
Lines 3722 3722
=======================================
Hits 2964 2964
Misses 758 758 📣 Codecov can now indicate which changes are the most critical in Pull Requests. Learn more |
|
related to #806 |
| listed in the [MAINTAINERS](MAINTAINERS) file directly so consensus on the | ||
| issue and the appropriate resolution can be reached. Alternatively you may | ||
| contact Intel by following the instructions | ||
| [here](https://security-center.intel.com/VulnerabilityHandlingGuidelines.aspx) |
There was a problem hiding this comment.
This is no longer an Intel project, so we should require users to email security sensitive bugs to Maintainers or private issues, but I don't think Github supports that (Gitlab feature AFAICT). However, their might be information in here but I have not delved into it very deeply. https://docs.github.com/en/code-security/repository-security-advisories/about-coordinated-disclosure-of-security-vulnerabilities
There was a problem hiding this comment.
Generally all CVE's go through redhat
There was a problem hiding this comment.
I think we can use this one about using github for security disclosure and coordination: https://docs.github.com/en/code-security/repository-security-advisories/about-github-security-advisories-for-repositories
There was a problem hiding this comment.
Though this PR is related, the change you mention probably deserves its own. Do you have any specific wording in mind? Any objections to merging this as-is and turning your comments here into a PR?
There was a problem hiding this comment.
Yes, my objection to merging this as is is that it still lists intel as a reporting entity. For now just say email the maintainers. Then we need to develop an org consistent security reporting procedure and documentation. We can take that in a second PR and use tpm2-abrmd to start it and then port that wording to all projects. Perhaps move everything into a SECURITY.md file so its easy to move.
|
Clsoing, ill email you: 056eff3 |
Update CONTRIBUTING.md to include guidance that all maintainers be
included in discussions of security senstive bugs and questions. The
goal of triaging these issuses is to gain concensus and that cannot be
done without input from all maintainers.
Signed-off-by: Philip Tricca [email protected]