Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a security policy file #149

Open
pnacht opened this issue May 19, 2023 · 4 comments · May be fixed by #217
Open

Add a security policy file #149

pnacht opened this issue May 19, 2023 · 4 comments · May be fixed by #217

Comments

@pnacht
Copy link
Contributor

pnacht commented May 19, 2023

I've noticed that CONTRIBUTING.md points users to Facebook's bug-bounty program in case any security vulnerabilities are found in the project. Is that still the proper venue after PyTorch migrated to the Linux Foundation?

Regardless, having this information on a separate SECURITY.md file makes it much more visible for users. It'll be front and center for users who enter the project's "Security" panel, and they'll also see references to the policy in the "New issue" page.

If there's interest, I'd be happy to submit a PR with a draft policy (based on CONTRIBUTING.md or with any new information).


Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.

@Maratyszcza
Copy link
Contributor

@malfet PTAL

@malfet
Copy link
Contributor

malfet commented Jul 18, 2023

PyTorch project have moved to Linux Foundation, but other projects haven't. Adding separate security.md sounds reasonable to me, and also enable security vulnerabilities reporting for the project.
@Maratyszcza would you help me review those. Though attack surface for cpuinfo is pretty small as there are no binary builds of cpuinfo published anywhere, to the best of my knowledge

@pnacht
Copy link
Contributor Author

pnacht commented Jul 19, 2023

Ah, was it only pytorch/pytorch that moved to the LF? I thought it was the entire org.

If so, would you like me to send a PR to set cpuinfo's security policy?

Alternatively, you could create a https://github.com/pytorch/.github repository. Adding the security policy there will make it available to all projects under the pytorch org. Any repos that need a different policy can add it to the repo and it will take precedence over the "default" policy.

@pnacht
Copy link
Contributor Author

pnacht commented Oct 24, 2023

Hey, just a quick bump here. Would there be interest in a PR with a draft security policy?

If yes, should it point to Facebook's bug-bounty program or has cpuinfo also moved to the Linux Foundation?

If not, feel free to close!

prashanthswami added a commit to prashanthswami/cpuinfo that referenced this issue Jan 11, 2024
@prashanthswami prashanthswami linked a pull request Jan 11, 2024 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants