search

gratipay / gratipay.com

Here lieth a pioneer in open source sustainability. RIP
https://gratipay.news/the-end-cbfba8f50981
MIT License
1.12k stars 308 forks source link

We need a comprehensive security policy #3145

Closed blrhc closed 9 years ago

blrhc commented 9 years ago

So far we haven't even restricted accessing user data on our security page (policy) which we really should do. I'd be happy to create a Responsible Disclosure policy, as I've read quite a few of them in my time :).

chadwhitacre commented 9 years ago

Not sure what exactly this entails but happy to see what you come up with. :)

chadwhitacre commented 9 years ago

@benhc123 I want to close all the issues on:

https://github.com/gratipay/gratipay.com/labels/security

What does this ticket mean? What is the work involved? What are some examples from other companies? What do you need from me?

I'm not sure what sense to make of this sentence in particular:

we haven't even restricted accessing user data on our security page (policy)

What do you mean there?

blrhc commented 9 years ago

http://www.facebook.com/whitehat/bounty/

https://bounty.github.com

Above are examples of security policies (I don't think we need to introduce a bounty though).

They set out the rules and terms for testing as well as explaining what to include in bug reports.

By just having a security page encouraging testing on Gratipay we don't limit the scope, so testers might access real user data instead of testing locally.

blrhc commented 9 years ago

Work involved: I write up a security policy for the page (I'm currently doing this which is why I don't have many PRs). It will establish scope, recognition, non-disclosure, etc.

What I need from you: Check over the security policy once I've finished it.

chadwhitacre commented 9 years ago

Cool, thanks for the update @benhc123. I don't want to overspecify our policy at this point. We're still small and it's not like we're inundated with requests. We should specify the minimum necessary.

blrhc commented 9 years ago

Great. Thanks @whit375.

On 11 Feb 2015, at 01:28, Chad Whitacre notifications@github.com wrote:

Cool, thanks for the update @benhc123. I don't want to overspecify our policy at this point. We're still small and it's not like we're inundated with requests. We should specify the minimum necessary.

— Reply to this email directly or view it on GitHub.

blrhc commented 9 years ago

Sorry, @whit537.

On 11 Feb 2015, at 01:28, Chad Whitacre notifications@github.com wrote:

Cool, thanks for the update @benhc123. I don't want to overspecify our policy at this point. We're still small and it's not like we're inundated with requests. We should specify the minimum necessary.

— Reply to this email directly or view it on GitHub.

Changaco commented 9 years ago

Done in #3186.