Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

touch-up security policy #48280

Merged
merged 1 commit into from
Aug 2, 2024
Merged

touch-up security policy #48280

merged 1 commit into from
Aug 2, 2024

Conversation

thaJeztah
Copy link
Member

I noticed the OpenSSF scorecard (https://securityscorecards.dev/viewer/?uri=github.com/docker/docker) ranked a 9 out of 10 for the policy, as it had some warnings:

Info: security policy file detected: SECURITY.md:1
Info: Found linked content: SECURITY.md:1
Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy
Info: Found text in security policy: SECURITY.md:1

This PR slightly touch-up the security policy in this repository to describe the process in more details.

  • Describe process around reporting, triage, and review.
  • Describe timelines for acknowledging reports.
  • Refer to supported versions / branches.

Some of this wording was adopted from containerd's policy (https://github.com/containerd/project/blob/main/SECURITY.md), adjusting where needed (e.g. the project currently does not have an embargoed security announce list, and no formal definition of security advisors).

@thaJeztah
Copy link
Member Author

cc @IanColdwater @rachel-taylor-docker (fyi)

There's probably more touching up possible (one step at a time); we have copies of this file in other repositories, so if we are ok with this version, I can update those in a follow-up.

@thaJeztah thaJeztah force-pushed the touchup_security branch 2 times, most recently from d61c32e to 58c8c4c Compare July 31, 2024 22:05
thaJeztah
thaJeztah commented Aug 1, 2024
View reviewed changes
SECURITY.md Outdated Show resolved Hide resolved
@thaJeztah thaJeztah added this to the 28.0.0 milestone Aug 1, 2024
@thaJeztah
Copy link
Member Author

Waiting for some minor changes, we can merge after.

@thaJeztah
touch-up security policy
dfe36fa 
Slightly touch-up the security policy in this repository to describe
the process in more details.

- Describe process around reporting, triage, and review.
- Describe timelines for acknowledging reports.
- Refer to supported versions / branches.

Some of this wording was adopted from containerd's policy, adjusting
where needed (e.g. the project currently does not have an embargoed
security announce list, and no formal definition of security advisors).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah merged commit 27b322e into moby:master Aug 2, 2024
126 checks passed
@thaJeztah thaJeztah deleted the touchup_security branch August 2, 2024 16:44
@thaJeztah thaJeztah mentioned this pull request Aug 5, 2024
Merged
This was referenced Oct 8, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@laurazard laurazard laurazard approved these changes

@vvoland vvoland vvoland approved these changes

@corhere corhere corhere approved these changes

Assignees
No one assigned
Labels
area/docs area/project area/security status/3-docs-review
Projects
None yet
Milestone
28.0.0
Development

Successfully merging this pull request may close these issues.
4 participants
@thaJeztah @corhere @vvoland @laurazard