Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add "no public GH Issues please" request, past advisories link, bounty mention, scope link to security.md #40966

Merged
merged 2 commits into from
Oct 23, 2023
Merged

Add "no public GH Issues please" request, past advisories link, bounty mention, scope link to security.md #40966

merged 2 commits into from
Oct 23, 2023

Conversation

joshtrichards
Copy link
Member

Summary

  • Added request to not report vulnerabilities in public GH issues
  • Added missing and/or deeper links to relevant pages { existing security advisories, scope }
  • Mentioned bounty program
  • Reorganized to keep focus on reporting while also adding context helpful to other audiences
  • Added some new headings to keep things easy to access

I was tempted to add the "No BS" stuff from the HackerOne page, but ultimately opted to keep this the more formal of the two since that is how it's been historically.

TODO

  • ...

Checklist

@joshtrichards
SECURITY: Add {links, headings, $, scope, public GH Issues notes}
59366ee 
* Add links to various relevant pages (scope, existing security advisories)
* Add request to not report vulnerabilities in public GH issues
* Mention bounty program
* Reorganized and added some new headings

Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
@joshtrichards joshtrichards added 3. to review Waiting for reviews security labels Oct 18, 2023
@szaimen szaimen added this to the Nextcloud 28 milestone Oct 18, 2023
@szaimen szaimen requested a review from nickvergessen October 18, 2023 16:14
nickvergessen
nickvergessen reviewed Oct 19, 2023
View reviewed changes
Copy link
Member

@nickvergessen nickvergessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for cleaning this one up.
Some small comments but good step forward :)

SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
@nickvergessen nickvergessen changed the title SECURITY: Add "no public GH Issues please" request, past advisories link, bounty mention, scope link Add "no public GH Issues please" request, past advisories link, bounty mention, scope link to security.md Oct 19, 2023
@joshtrichards @nickvergessen
Apply suggestions
0ded3ad 
Co-authored-by: Joas Schilling <213943+nickvergessen@users.noreply.github.com>
Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
@nickvergessen nickvergessen requested a review from szaimen October 20, 2023 13:22
szaimen
szaimen approved these changes Oct 20, 2023
View reviewed changes
Copy link
Contributor

@szaimen szaimen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense and LGTM. Should we apply the same changes to https://github.com/nextcloud/.github/blob/master/SECURITY.md?

@nickvergessen nickvergessen merged commit 73a6061 into master Oct 23, 2023
36 of 38 checks passed
@nickvergessen nickvergessen deleted the jr-security-policy-expansion branch October 23, 2023 05:19
@joshtrichards joshtrichards mentioned this pull request Oct 23, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@szaimen szaimen szaimen approved these changes

@nickvergessen nickvergessen nickvergessen approved these changes

Assignees
No one assigned
Labels
3. to review Waiting for reviews security
Projects
None yet
Milestone
Nextcloud 28
Development

Successfully merging this pull request may close these issues.
3 participants
@joshtrichards @nickvergessen @szaimen