search

graphql-rust / juniper

GraphQL server library for Rust
Other
5.72k stars 425 forks source link

Missing security policy prevents a responsible disclosure in case a security vulnerability is discovered #1011

Open quapka opened 2 years ago

quapka commented 2 years ago

Is your feature request related to a problem? Please describe. There is no security policy set up for this project. Also, searching for security in the documentation yields 0 results.

Describe the solution you'd like A security policy is set up, e.g. using GitHub Security Advisory. Also when creating a new issue there should be an option to report a security vulnerability that links to the policy.

Describe alternatives you've considered One can look for/guess e-mails of trusted maintainers, but that is far from a good practice.

Additional context None.

quapka commented 2 years ago

Hi folks, is there a problem in adding a security policy?

tyranron commented 2 years ago

@quapka thanks for bringing this up! Sorry for late reply, this is because all the maintainers have low bandwidth to dedicate to this project.

We'll add the security policy closer to releasing 0.16 version.

quapka commented 2 years ago

I see, @tyranron. When is the release expected or is there a secure communication channel in the meantime? Adding a security policy should not actually take much time. :slightly_smiling_face:

tyranron commented 2 years ago

@quapka I guess for the moment, you may reach me or @LegNeato privately by the email address, specified in commits.

LegNeato commented 2 years ago

I am personally a big fan of immediate public disclosure / radical transparency (I used to manage security updates for macOS and Firefox FWIW) but we haven't had a discussion between the maintainers about what we should do for juniper yet.

quapka commented 2 years ago

(I used to manage security updates for macOS and Firefox FWIW)

@LegNeato that is a resume worth mentioning IMHO.

It is the maintainers/code-owners decision how such issues should be handled. Simply coming as an outsider to a project it is nice to have the disclosure policy clear & explicit (say in README.md and in SECURITY.md ~ security policy, GitHub specific). Otherwise, it seems like it might not have been thought of, and filing an issue with security vulnerability might come as a surprise.

sno2 commented 1 year ago

Hello, who should I contact for security vulnerabilities with this organization? I tried messaging the owner of the crate, but he is currently serving in the Ukraine army and I want to make sure I contact the correct people.

LegNeato commented 1 year ago

https://github.com/graphql-rust/juniper/issues/1011#issuecomment-1022502056