Add SECURITY.md #9804
Merged
Add SECURITY.md #9804
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vince-fugnitto
added
documentation
|
What our "create new issue" page looks-like, with the PR deployed on my fork: When you click on "View policy" |
As part of our project's periodic Eclipse Foundation progress review (1), we are encouraged to add a security policy file, for our project. I went with the miminal amount of information I thought was needed, not duplicating info from the EF policy. It should be a good first step, I think. In addition, I also modified the GitHub bug report issue template and PR template, to make it clear they're not meant to be used to disclose security vulnerabilities. A nice side-effect of adding SECURITY.md is that GitHub automatically adds an entry in our issue-submission page: "Report a security vulnerability", that has a button "View Policy" that opens our policy. There are some more seemingly nice GitHub project security features that could be enabled for our repo/project (with webmaster's help). We can consider them separately. (1): https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/64 Fixes #8795 Signed-off-by: Marc Dumais <marc.dumais@ericsson.com>
marcdumais-work
force-pushed
the
security_file
branch
from
1b54fb3 to
1e0e2a5
Compare
|
@waynebeaton I am not sure we currently cover all aspects of the feedback you provided on the previous related PR. In particular:
Could you please have a quick look at this PR and advise? |
|
@eclipse-theia FYI |
vince-fugnitto
approved these changes
Jul 30, 2021
|
Thanks for the reviews - merging |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What it does
As part of our project's periodic Eclipse Foundation progress review (1),
we are encouraged to add a security policy file, for our project. I went
with the miminal amount of information I thought was needed, not duplicating
info from the EF policy. It should be a good first step, I think.
In addition, I also modified the GitHub bug report issue template and PR
template, to make it clear they're not meant to be used to disclose security
vulnerabilities.
A nice side-effect of adding SECURITY.md is that GitHub automatically adds
an entry in our issue-submission page: "Report a security vulnerability",
that has a button "View Policy" that opens our policy.
There are some more seemingly nice GitHub project security features that
could be enabled for our repo/project (with webmaster's help). We can
consider them separately.
(1): https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/64
Fixes #8795
How to test
This is a non-functional change for the most part. To see the changes to the GH issue and PR templates "live", I have deployed this PR to the master branch of my fork:
https://github.com/marcdumais-work/theia/issues/new/choose
Review checklist
Reminder for reviewers