Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create SECURITY.md #7273

Merged
merged 5 commits into from
Jan 4, 2024
Merged

Create SECURITY.md #7273

merged 5 commits into from
Jan 4, 2024

Conversation

joycebrum
Copy link
Contributor

Closes #7265

I've created the SECURITY.md file considering the report vulnerability through security advisory, which is a new github feature.

If you're interested in the GitHub's feature, it must be activated for the repository:

  1. Open the repo's settings
  2. Click on Code security & analysis
  3. Click "Enable" for "Private vulnerability reporting (Beta)"

If you rather not enable it there is also the possibility to receive the vulnerability report through an email, in this case just let me know which email it would be and I'll submit the change.

Besides that, feel free to edit or suggest any changes to this document, it is supposed to reflect the amount of effort the team can offer to handle vulnerabilities.

Signed-off-by: Joyce <joycebrum@google.com>
@joycebrum
Copy link
Contributor Author

Hi, just pinging to know how is going this PR Review. Would I need to address any changes to this policy to be a better suit for rxjs?

Copy link
Member

@benlesh benlesh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In general, I think this is a good idea. However, it seems like it should mention something about the license agreement, and the waiver of liability there in.

We, of course, want to fix any security issues as rapidly as possible. And a library like this is actually pretty unlikely to get security issues. But also as a volunteer, I don't really feel like being sued personally for damages that people feel were caused by not responding to security issue within a certain time period. Especially if there's a document that we approved that seems to be some sort of agreement on our part.

Signed-off-by: Joyce <joycebrum@google.com>
@joycebrum
Copy link
Contributor Author

Hi @benlesh thanks for the return. I've rephrased the policy to not explicitly mention a deadline for public disclosure (instead asking reporters to align with you before disclosing anything about the security issue).

Besides, I've added a paragraph to remind users about the Apache Liability aspect. Let me know if you think this would be better in the beginning of the doc.

Signed-off-by: Joyce <joycebrum@google.com>
@benlesh
Copy link
Member

benlesh commented Jan 4, 2024

Thanks, @joycebrum .. I think this is good. I am only concerned at this point, because I'm not entirely sure I'll notice the security advisories, as I'm not conditioned to check them, nor do I know quite how they work.

@benlesh benlesh merged commit 97326e8 into ReactiveX:master Jan 4, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants