Skip to content

Create security policy #893

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Mar 16, 2021
Merged

Create security policy #893

merged 5 commits into from
Mar 16, 2021

Conversation

sliverc
Copy link
Member

@sliverc sliverc commented Mar 8, 2021
edited
Loading

Description of the Change

We did not have any security issues in the past but there might be so I think it is important to have a security policy so users know how to report such with fully disclosing it in a GitHub issue. After all DJA exposes APIs which could be publicly exposed.

I've copied the policy from Django REST Framework and adjusted it. I recommend to read following guide which describes how security vulnerabilities are best addressed.

One question remains though is what means do we wanna use to privately communicate with us? Github has Security Advisories which I recommend we use. But only a admin can create security advisories. Currently as it seems GitHub does not provide a way for the initial communication.

DRF uses googlegroups for this. Not my favorite but do not see a alternatives. Or are there any other suggestions?

Checklist

  • PR only contains one change (considered splitting up PR)
  • unit-test added
  • documentation updated
  • CHANGELOG.md updated (only for user relevant changes)
  • author name in AUTHORS

@sliverc sliverc requested a review from n2ygk March 8, 2021 18:09
@codecov
Copy link

codecov bot commented Mar 8, 2021
edited
Loading

Codecov Report

Merging #893 (c60dc37) into master (1444a67) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #893   +/-   ##
=======================================
  Coverage   97.70%   97.70%           
=======================================
  Files          59       59           
  Lines        3182     3182           
=======================================
  Hits         3109     3109           
  Misses         73       73

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1444a67...c60dc37. Read the comment docs.

@sliverc sliverc marked this pull request as draft March 8, 2021 18:11
@sliverc sliverc changed the title Create SECURITY.md Create security policy Mar 8, 2021
n2ygk
n2ygk requested changes Mar 8, 2021
View reviewed changes
@sliverc
Copy link
Member Author

sliverc commented Mar 10, 2021

@n2ygk I have added you to the security mailing list and also updated the PR with more details. Ready for review again.

@sliverc sliverc marked this pull request as ready for review March 10, 2021 13:43
@sliverc
Copy link
Member Author

sliverc commented Mar 16, 2021

@n2ygk Could you have a look again at this PR? Thanks.

n2ygk
n2ygk requested changes Mar 16, 2021
View reviewed changes
sliverc added 3 commits March 16, 2021 23:55
@sliverc
Update SECURITY.md
9ed2c9c 
Replace invalid email address
@sliverc
Update SECURITY.md
db3aacc 
Add missing space
@sliverc
Update CONTRIBUTING.md
c60dc37 
Clarify add maintainer description.
@n2ygk n2ygk merged commit e32ff43 into master Mar 16, 2021
@n2ygk n2ygk deleted the security-policy branch March 16, 2021 20:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@n2ygk n2ygk n2ygk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sliverc @n2ygk