search

Python-Community-News / .github

MIT License
0 stars 3 forks source link

[ADD] security.md file #13

Open homiecoder opened 1 year ago

homiecoder commented 1 year ago

The repo should contain security.md file to meet community standards.

I would like to work on this issue!

I have included an example security.md file below:

Thanks for helping make GitHub safe for everyone.

## Security

GitHub takes the security of our software products and services seriously, including all of the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub).

Even though [open source repositories are outside of the scope of our bug bounty program](https://bounty.github.com/index.html#scope) and therefore not eligible for bounty rewards, we will ensure that your finding gets passed along to the appropriate maintainers for remediation.

## Reporting Security Issues

If you believe you have found a security vulnerability in any GitHub-owned repository, please report it to us through coordinated disclosure.

**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**

Instead, please send an email to opensource-security[@]github.com.

Please include as much of the information listed below as you can to help us better understand and resolve the issue:

- The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue

This information will help us triage your report more quickly.

## Policy

See [GitHub's Safe Harbor Policy](https://docs.github.com/en/site-policy/security-policies/github-bug-bounty-program-legal-safe-harbor)
kjaymiller commented 1 year ago

Looks great! Go ahead and add this as a PR!

jonafato commented 1 year ago

I'm curious what classes of security issues we expect to see reports of on our projects here, as it's largely a static site and supporting tooling to build it.

The text here refers to a bunch of GitHub-owned programs, which don't apply here (i.e. no one should be contacting GitHub's security team or bug bounty program in regards to a project that happens to be hosted on GitHub, only those actually owned and maintained by GitHub.

kjaymiller commented 1 year ago

There could be an issue if some dependency is compromised. I also know that having a security.md is a signal towards good community standards.

jonafato commented 1 year ago

I'm not objecting to the existence of a security.md file, but I think we need to make sure this is tailored and relevant to our projects. IMHO this is a document that should be created as a result of defining security policies, not something boilerplate.

kjaymiller commented 1 year ago

I can work with @homiecoder to make sure that we have a tailored file