Open luigigubello opened 1 year ago
+1
I agree with the idea of publishing an org-level security policy for OpenSSF repositories, projects, services, and infrastructure.
An org-level security policy should indeed go in the org's .github
repo in a SECURITY.md file.
Please change the document title. This is NOT a general-purpose security policy, this is a vulnerability disclosure policy. The title of the document should reflect that, so that people understand what they're going to be reading.
Proposal "Inbound Vulnerability Disclosure Policy" - that is, add "inbound" to distinguish from "outbound".
For clarification: a proposed outbound vulnerability disclosure policy is here: https://github.com/ossf/wg-vulnerability-disclosures/issues/122
Hi 👋 I think we have version 1.0 ready for the final review and approval, I share the doc in OpenSSF channels #wg-vulnerability-disclosures and #tac.
Important checks before publishing the policy:
Next steps for v1.1
We have temporarily removed the Safe Habor section because the Linux Foundation Counsel advised that the text as written has serious problems. Before releasing anything by making legal claims, we need a review and formal approval by Linux Foundation Counsel. In the meantime, we have edited the doc as they recommended. cc @david-a-wheeler (thank you 🙌 )
@luigigubello - yes, security @ openssf.org exists. It's currently an alias to operations @ openssf.org, who can then redirect to the specific project.
We have temporarily removed the Safe Habor section because the Linux Foundation Counsel advised that the text as written has serious problems.
We need to find a solution to keep this language in the document somehow.
Here are some example safe harbor policies we can pull from. If we come up with one that's international, we should work with the LF legal team to contribute it back here as well:
Another example of Safer Harbor could be that of U.S. Department of Agriculture. It is quite generic to work for us - we need to adapt the text a bit - and it should be written in a (U.S.-oriented probably) legal language good for LF.
Solid find and a good candidate!
As per meeting May 1
Existing safe harbors in thread https://www.usda.gov/vulnerability-disclosure-policy https://github.com/disclose/policymaker/tree/main/static/templates https://github.com/disclose/policymaker/blob/main/static/templates/disclose-io-safe-harbor/en-US.md
Additional Safe Harbors https://docs.bugcrowd.com/researchers/reporting-managing-submissions/disclosure/disclose-io-and-safe-harbor/ [more we could look at those using bug crowd and their safe harbors] https://hackerone.com/security/safe_harbor?type=team https://www.microsoft.com/en-us/msrc/bounty-safe-harbor https://proton.me/security/safe-harbor https://docs.tosdr.org/sp/Security-Vulnerability-Safe-Harbor.125926922.html
And here are the common elements i see
not in all but in many
Also disclose.io inccludes safe harbor in their VDP suggestions... any reason not to collab and suggest using theirs? https://disclose.io/docs/recipients/
@david-a-wheeler is there a current status or additional things to action on this?
Idea: Publish an org-level security policy for OpenSSF repositories, projects, services, and infrastructure.
Proposal
Note. This draft policy is trying to meet the following requirements: