search

haskell / security-advisories

https://haskell.github.io/security-advisories/
Other
46 stars 18 forks source link

Are embargoed vulnerabilities accepted? #204

Closed adamgundry closed 5 months ago

adamgundry commented 5 months ago

My understanding from speaking to @frasertweedale is that vulnerabilities subject to embargo are now accepted by the SRT, subject to resource constraints. However this contradicts the documents in this repo, which may need to be updated?

CONTRIBUTING.md curently says:

Q: Does this project have a GPG key or other means of handling embargoed vulnerabilities?

A: We do not presently handle embargoed vulnerabilities. Please ensure embargoes have been lifted and details have been disclosed to the public prior to filing them here.

PROCESS.md says:

The HSRT does not presently handle embargoed vulnerabilities. Please ensure embargoes have been lifted and details have been disclosed to the public prior to filing a report.

frasertweedale commented 5 months ago

Thank you! We will update the docs to reflect the current status.

On Thu, Jun 6, 2024, at 4:31 PM, Adam Gundry wrote:

My understanding from speaking to @frasertweedale is that vulnerabilities subject to embargo are now accepted by the SRT, subject to resource constraints. However this contradicts the documents in this repo, which may need to be updated?

CONTRIBUTING.md curently says:

Q: Does this project have a GPG key or other means of handling embargoed vulnerabilities?

A: We do not presently handle embargoed vulnerabilities. Please ensure embargoes have been lifted and details have been disclosed to the public prior to filing them here.

PROCESS.md says:

The HSRT does not presently handle embargoed vulnerabilities. Please ensure embargoes have been lifted and details have been disclosed to the public prior to filing a report.

-- Reply to this email directly or view it on GitHub: https://github.com/haskell/security-advisories/issues/204 You are receiving this because you were mentioned.

Message ID: @.***>

TristanCacqueray commented 5 months ago

The PROCESS.md original document contains extensive information about how to handle the progressive disclosure and keep every party up to date. Now that we have a VINCE group, perhaps we could leverage this platform?

mihaimaruseac commented 5 months ago

+1 to using VINCE if possible.