Create SECURITY.md #3052
Merged
Create SECURITY.md #3052
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A simple instruction for security researchers!
Murderlon
requested changes
Aug 2, 2021
There was a problem hiding this comment.
Thanks for the PR. Security policy should perhaps be an organization wide policy and not just one for Uppy. Furthermore, I would recommend sending vulnerabilities to an email listing with multiple people from the Uppy team instead of just Artur, who might also be absent from time to time.
For reference, here is security.md from unified for inspiration of things we may want to add as well.
|
Probably we can suffice by saying that security issues and concerns may be shared via the public github issue tracker, tagged with the security label, unless there is a high risk of malicious crowds exploiting the shared vulnerability, in which case we should forward folks to https://transloadit.com/security/, which has all the rules & addresses for how Transloadit would handle these cases. We could optionally add some more content to https://transloadit.com/security/ to explicitly support the uppy/tus usecases. |
kvz
reviewed
Nov 15, 2021
Co-authored-by: Kevin van Zonneveld <vanzonneveld@gmail.com>
Merged
github-actions bot
added a commit
that referenced
this pull request
Dec 7, 2021
| Package | Version | Package | Version | | ------------------------- | ------- | ------------------------- | ------- | | @uppy/angular | 0.2.6 | @uppy/locales | 2.0.4 | | @uppy/audio | 0.2.0 | @uppy/onedrive | 2.0.5 | | @uppy/aws-s3 | 2.0.6 | @uppy/provider-views | 2.0.6 | | @uppy/aws-s3-multipart | 2.2.0 | @uppy/react | 2.1.2 | | @uppy/box | 1.0.5 | @uppy/screen-capture | 2.0.5 | | @uppy/companion | 3.1.2 | @uppy/status-bar | 2.1.2 | | @uppy/companion-client | 2.0.4 | @uppy/store-default | 2.0.3 | | @uppy/core | 2.1.3 | @uppy/thumbnail-generator | 2.0.6 | | @uppy/dashboard | 2.1.2 | @uppy/transloadit | 2.0.5 | | @uppy/drag-drop | 2.0.5 | @uppy/tus | 2.1.2 | | @uppy/dropbox | 2.0.5 | @uppy/url | 2.0.5 | | @uppy/facebook | 2.0.5 | @uppy/utils | 4.0.4 | | @uppy/file-input | 2.0.5 | @uppy/webcam | 2.0.5 | | @uppy/golden-retriever | 2.0.6 | @uppy/xhr-upload | 2.0.6 | | @uppy/google-drive | 2.0.5 | @uppy/zoom | 1.0.5 | | @uppy/image-editor | 1.1.0 | @uppy/robodog | 2.1.4 | | @uppy/informer | 2.0.5 | uppy | 2.3.0 | | @uppy/instagram | 2.0.5 | | | - meta: add release automations (Antoine du Hamel / #3304) - @uppy/dashboard: Save meta fields when opening the image editor (Merlijn Vos / #3339) - @uppy/aws-s3-multipart: Drop `lockedCandidatesForBatch` and mark chunks as busy when preparing (Yegor Yarko / #3342) - @uppy/webcam: fix broken links in `webcam.md` (Antoine du Hamel / #3346) - @uppy/audio: new @uppy/audio plugin for recording with microphone (Artur Paikin / #2976) - build: force use of `@babel/plugin-proposal-optional-chaining` (Antoine du Hamel / #3335) - @uppy/companion: fix deploy Yarn version (Antoine du Hamel / #3327) - @uppy/companion: upgrade aws-sdk (Mikael Finstad / #3334) - @uppy/core: disable loose transpilation for legacy bundle (Antoine du Hamel / #3329) - @uppy/angular: examples: update `angular-example` to Angular v13 (Antoine du Hamel / #3325) - meta: Update BACKLOG.md (Artur Paikin, Merlijn Vos) - meta: Add disableLocalFiles to options summary (Steve Barker / #3323) - meta: Create SECURITY.md (Ziding Zhang / #3052) - @uppy/image-editor: Pass croppedCanvasOptions to getCroppedCanvas (Mohamed Boudra / #3320) - meta: finish `master`->`main` job (Mikael Finstad / #3315) - website: update documents that were out of date (Antoine du Hamel / #3317) - @uppy/status-bar: Status bar error state improvements (Merlijn Vos / #3299) - doc: Fix typo in `docs/drag-drop.md` (Ash Allen / #3319) - website: Update /support and docs about Transloadit-hosted Companion (Artur Paikin / #3243) - @uppy/aws-s3,@uppy/box,@uppy/core,@uppy/dashboard,@uppy/drag-drop,@uppy/dropbox,@uppy/facebook,@uppy/file-input,@uppy/google-drive,@uppy/image-editor,@uppy/instagram,@uppy/locales,@uppy/onedrive,@uppy/screen-capture,@uppy/status-bar,@uppy/thumbnail-generator,@uppy/transloadit,@uppy/url,@uppy/webcam,@uppy/xhr-upload,@uppy/zoom: Refactor locale scripts & generate types and docs (Merlijn Vos / #3276) - @uppy/companion: Remove references of incorrect `options` argument for `companion.socket` (Mikael Finstad / #3307) - @uppy/companion: Upgrade linting to 2.0.0-0 (Kevin van Zonneveld / #3280)
HeavenFox
pushed a commit
to docsend/uppy
that referenced
this pull request
Jun 27, 2023
| Package | Version | Package | Version | | ------------------------- | ------- | ------------------------- | ------- | | @uppy/angular | 0.2.6 | @uppy/locales | 2.0.4 | | @uppy/audio | 0.2.0 | @uppy/onedrive | 2.0.5 | | @uppy/aws-s3 | 2.0.6 | @uppy/provider-views | 2.0.6 | | @uppy/aws-s3-multipart | 2.2.0 | @uppy/react | 2.1.2 | | @uppy/box | 1.0.5 | @uppy/screen-capture | 2.0.5 | | @uppy/companion | 3.1.2 | @uppy/status-bar | 2.1.2 | | @uppy/companion-client | 2.0.4 | @uppy/store-default | 2.0.3 | | @uppy/core | 2.1.3 | @uppy/thumbnail-generator | 2.0.6 | | @uppy/dashboard | 2.1.2 | @uppy/transloadit | 2.0.5 | | @uppy/drag-drop | 2.0.5 | @uppy/tus | 2.1.2 | | @uppy/dropbox | 2.0.5 | @uppy/url | 2.0.5 | | @uppy/facebook | 2.0.5 | @uppy/utils | 4.0.4 | | @uppy/file-input | 2.0.5 | @uppy/webcam | 2.0.5 | | @uppy/golden-retriever | 2.0.6 | @uppy/xhr-upload | 2.0.6 | | @uppy/google-drive | 2.0.5 | @uppy/zoom | 1.0.5 | | @uppy/image-editor | 1.1.0 | @uppy/robodog | 2.1.4 | | @uppy/informer | 2.0.5 | uppy | 2.3.0 | | @uppy/instagram | 2.0.5 | | | - meta: add release automations (Antoine du Hamel / transloadit#3304) - @uppy/dashboard: Save meta fields when opening the image editor (Merlijn Vos / transloadit#3339) - @uppy/aws-s3-multipart: Drop `lockedCandidatesForBatch` and mark chunks as busy when preparing (Yegor Yarko / transloadit#3342) - @uppy/webcam: fix broken links in `webcam.md` (Antoine du Hamel / transloadit#3346) - @uppy/audio: new @uppy/audio plugin for recording with microphone (Artur Paikin / transloadit#2976) - build: force use of `@babel/plugin-proposal-optional-chaining` (Antoine du Hamel / transloadit#3335) - @uppy/companion: fix deploy Yarn version (Antoine du Hamel / transloadit#3327) - @uppy/companion: upgrade aws-sdk (Mikael Finstad / transloadit#3334) - @uppy/core: disable loose transpilation for legacy bundle (Antoine du Hamel / transloadit#3329) - @uppy/angular: examples: update `angular-example` to Angular v13 (Antoine du Hamel / transloadit#3325) - meta: Update BACKLOG.md (Artur Paikin, Merlijn Vos) - meta: Add disableLocalFiles to options summary (Steve Barker / transloadit#3323) - meta: Create SECURITY.md (Ziding Zhang / transloadit#3052) - @uppy/image-editor: Pass croppedCanvasOptions to getCroppedCanvas (Mohamed Boudra / transloadit#3320) - meta: finish `master`->`main` job (Mikael Finstad / transloadit#3315) - website: update documents that were out of date (Antoine du Hamel / transloadit#3317) - @uppy/status-bar: Status bar error state improvements (Merlijn Vos / transloadit#3299) - doc: Fix typo in `docs/drag-drop.md` (Ash Allen / transloadit#3319) - website: Update /support and docs about Transloadit-hosted Companion (Artur Paikin / transloadit#3243) - @uppy/aws-s3,@uppy/box,@uppy/core,@uppy/dashboard,@uppy/drag-drop,@uppy/dropbox,@uppy/facebook,@uppy/file-input,@uppy/google-drive,@uppy/image-editor,@uppy/instagram,@uppy/locales,@uppy/onedrive,@uppy/screen-capture,@uppy/status-bar,@uppy/thumbnail-generator,@uppy/transloadit,@uppy/url,@uppy/webcam,@uppy/xhr-upload,@uppy/zoom: Refactor locale scripts & generate types and docs (Merlijn Vos / transloadit#3276) - @uppy/companion: Remove references of incorrect `options` argument for `companion.socket` (Mikael Finstad / transloadit#3307) - @uppy/companion: Upgrade linting to 2.0.0-0 (Kevin van Zonneveld / transloadit#3280)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A simple instruction for security researchers!