Closed diogoteles08 closed 1 year ago
diogoteles08
commented
1 year ago Hey! This issue/PR has been idle for quite some time. Do you plan on considering these changes? If not, I'll probably wait up to 2 more months and close the issue.
Thanks!
zesterer
commented
1 year ago Hello. This PR got lost under a long backlog. Although I'm the maintainer of spin-rs, I (obviously) don't own the repository: will security reports get sent to me also?
diogoteles08
commented
1 year ago Hey @zesterer! Yep, Github documentation states that "Anyone with admin permissions to a repository can see, review, and manage privately-reported vulnerabilities for the repository.", so you as a maintainer would be able to see it and would probably be notified as well. Does that answer your question?
zesterer
commented
1 year ago It does, yes. Thank you.
diogoteles08
commented
1 year ago Hey @zesterer, although the PR was merged, I think you haven't yet enabled the github's feature of Private Vulnerability Report, have you? If not, please follow the instructions I sent here and enable it.
When this feature is not enabled, the link pointed on your Security Policy will lead to Not Found :/
Closes #155
I've created the SECURITY.md file following a GitHub's template and considering that you'd request that users report vulnerabilities through security advisory, which is a handy new GitHub feature, but it's still in beta and has to be manually enabled by a maintainer.
If you're interested in this feature, you can activate it following this steps:
However, if you'd rather not use this feature, you can also request users to report vulnerabilities to an email. If that's the case, let me know which email you would like to receive the reports and I can submit the change.
Additionally, feel free to edit or suggest any changes to this document, it is supposed to reflect the amount of effort the team can offer to handle vulnerabilities.