search

KhronosGroup / OpenGL-Registry

OpenGL, OpenGL ES, and OpenGL ES-SC API and Extension Registry
678 stars 274 forks source link

Create a Security Policy #568

Closed joycebrum closed 1 year ago

joycebrum commented 1 year ago

Closes #567

I've created the SECURITY.md file considering the report vulnerability through security advisory, which is a new github feature still in beta and that has to be enabled.

If you're interested in GitHub's feature, it must be activated for the repository:

  1. Open the repo's settings
  2. Click on Code security & analysis
  3. Click "Enable" for "Private vulnerability reporting (Beta)"

If you rather not enable it there is also the possibility to receive the vulnerability report through an email, in this case just let me know which email it would be and I'll submit the change.

Besides that, feel free to edit or suggest any changes to this document, it is supposed to reflect the amount of effort the team can offer to handle vulnerabilities.

oddhack commented 1 year ago

@pdaniell-nv I turned on the "private reporting" flag. I'm OK with accepting this.

pdaniell-nv commented 1 year ago

Approved by the OpenGL/ES working groups. Thanks.

rpavlik commented 12 months ago

should we presumably be doing this on the other Khronos repos that have code? The OpenXR CTS seems unlikely to matter but the loader (the sdk repos) probably do.

joycebrum commented 12 months ago

One possibility is to create a https://github.com/KhronosGroup/.github and add the file there to be project agnostic: explaining how to report step by step instead of through a link. This would make the policy available to all projects under KhronosGroup org