Improve vulnerability reporting

amazon-ion / ion-java

Java streaming parser/serializer for Ion.

https://amazon-ion.github.io/ion-docs/

Apache License 2.0

866 stars 110 forks source link

Improve vulnerability reporting #484

Open Marcono1234 opened 1 year ago

Marcono1234 commented 1 year ago

Hello, could you please improve the vulnerability reporting experience? In particular:

Add a SECURITY.md file, the current mention in CONTRIBUTING.md might not be immediately noticeable
Replace http:// with https:// URLs, at the very least please for the vulnerability reporting URL in CONTRIBUTING.md
Consider using GitHub's private vulnerability reporting instead of requiring reports to the AWS Security team. It appears the AWS Security team is not necessarily excepting reports for amazon-ion, and the communication over e-mail might be a bit tedious.

Note that this is not specific to ion-java, but probably applies to all amazon-ion repositories.

Marcono1234 commented 1 year ago

@tgregg, @zslayton, @popematt

The reason why I created this issue is also because a few weeks before I wrote to aws-security@amazon.com. After some back and forth I got the following response:

We have raised this with the appropriate team to address the issue

So I hope it did actually reach you, but I am not sure because so far I haven't seen any fixes for that issue. I am not planning to disclose the content of that report here though.

popematt commented 1 year ago

Hi @Marcono1234,

Thank you for bringing this up, and I'm sorry that it has taken this long to get back to you.

We can certainly update all of the http links. For the other two items you mentioned, we'll need to talk to our security team to find out if they're okay with those changes.

In the meantime, if you would like, you can email us at ion-team@amazon.com with a brief summary of the issue you reported, and we can confirm to you whether or not we were informed about it.

Marcono1234 commented 1 year ago

In the meantime, if you would like, you can email us at ion-team@amazon.com with a brief summary of the issue you reported, and we can confirm to you whether or not we were informed about it.

Thanks! I have just forwarded the original mail to that address, it is not that long, so I hope that is ok for you.

popematt commented 1 year ago

Thank you. We will look into this.

popematt commented 1 year ago

@Marcono1234, thanks for your patience with this. As you can probably guess, some of these changes require some work behind closed doors with our security teams and from the outside it might look like we are doing nothing.

Here are some of the changes that have happened so far:

We now have a security policy set up for the amazon-ion organization that applies to all repos. See https://github.com/amazon-ion/ion-java/security/policy, for example.
We have coordinated with AWS Security to ensure that they are expecting reports about Ion and that all security disclosures will be shared with us regardless of the severity of the issue, its eligibility for any bug bounty programs, etc.
We are switching the links in CONTRIBUTING.md to use https (#554).

Marcono1234 commented 1 year ago

Thanks a lot for the update! The changes look and sound good to me.

We are switching the links in CONTRIBUTING.md to use https

In case you aren't aware of it yet, SECURITY.md and CONTRIBUTING.md in https://github.com/amazon-ion/.github still use http:// for the vulnerability reporting URL.