search

nginx / unit

NGINX Unit - universal web app server - a lightweight and versatile open source server that simplifies the application stack by natively executing application code across eight different programming language runtimes.
https://unit.nginx.org
Apache License 2.0
5.37k stars 323 forks source link

Mismatch in content of `SECURITY.txt` in Units and e.g. NGINX Agents / NJS Repositories #1408

Closed tippexs closed 1 week ago

tippexs commented 4 weeks ago

Good Friday Unit-Team :)

feels great to be back here on GitHub with you. While researching I have noticed that there is a difference between the SECURITY.txt in this repository and the SECURTIY.md in njs and agents repository. As the last two are updated more recently, maybe there is value in using the same Policy Document. If thats accurate, I am MORE than happy to come up with an PR.

PS: Great to see 1.33 on the Horizon AND the Wasmtime Version Bump <3

callahad commented 2 weeks ago

So good to see you, too, @tippexs !

Honestly, I'm not entirely sure what to do re: the mismatch. It seems like security.txt (which gets exposed at https://unit.nginx.org/.well-known/security.txt) is part of the securitytxt.org standard for machine-discoverable information about reporting vulnerabilities, while the njs and agent security.md is more human-readable.

...that said, there are clearly some outdated bits of the security.txt document (maxim's key, etc.) but it's not clear to me how we should be reconciling the differences. I'll leave it to @javorszky to propose a next step.

javorszky commented 1 week ago

Had a conversation about this, the resolution will be:

I'll be making these changes in a moment.

tippexs commented 1 week ago

Thanks for taking care of this and congrtulations to 1.33!!!

javorszky commented 1 week ago

Thank you! And thank you for flagging this to us 🙂