Add SECURITY.md vulnerability reporting policy#420
Conversation
Implement issue rubysec#309 by adding a dedicated security policy for bundler-audit. Changes: - Add SECURITY.md with private vulnerability reporting instructions. - Document email reporting channel and disclosure expectations. - Add spec/security_policy_spec.rb to verify policy file presence and core guidance. This commit intentionally contains only security-policy related files.
|
|
||
| ## Reporting A Vulnerability | ||
|
|
||
| - Email: postmodern.mod3@gmail.com |
There was a problem hiding this comment.
I assume we need to change the email now. Any idea where to point now? @jasnow what about your contact?
There was a problem hiding this comment.
Opened this yesterday for security@rubysec.com:
- Replace current security-related email with a more generic one #428
I just created a backup gmail email and will share it if we need it. - FYI: rubysec@gmail.com is taken so I sent it an email asking who they were.
There was a problem hiding this comment.
I'd like to propose that we use a contact address that is itself a resource with shared ownership (e.g., a private Google group where we can manage membership and permissions), presuming we gain control of gem publishing.
There was a problem hiding this comment.
resource with shared ownership (e.g., a private Google group where we can manage
membership and permissions), presuming we gain control of gem publishing.
My previous thoughts are in ISS #428 but I can support @flavorjones' approach too.
|
|
||
| it 'contains a security contact channel' do | ||
| expect(content).to include('postmodern.mod3@gmail.com') | ||
| expect(content).to include('security@rubysec.com') |
| ## Reporting A Vulnerability | ||
|
|
||
| - Email: postmodern.mod3@gmail.com | ||
| - Email: security@rubysec.com |
4 participants
Implement issue #309 by adding a dedicated security policy for bundler-audit.
Changes:
Add SECURITY.md with private vulnerability reporting instructions.
Document email reporting channel and disclosure expectations.
Add spec/security_policy_spec.rb to verify policy file presence and core guidance.
This commit intentionally contains only security-policy related files.