Skip to content

Add "no public GH Issues please" request, past advisories link, bounty mention, scope link to security.md #40966

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nickvergessen merged 2 commits into from
Oct 23, 2023
Merged

Add "no public GH Issues please" request, past advisories link, bounty mention, scope link to security.md #40966

nickvergessen merged 2 commits into from
Oct 23, 2023

Conversation

@joshtrichards
Copy link
Member

@joshtrichards joshtrichards commented Oct 18, 2023

Summary

  • Added request to not report vulnerabilities in public GH issues
  • Added missing and/or deeper links to relevant pages { existing security advisories, scope }
  • Mentioned bounty program
  • Reorganized to keep focus on reporting while also adding context helpful to other audiences
  • Added some new headings to keep things easy to access

I was tempted to add the "No BS" stuff from the HackerOne page, but ultimately opted to keep this the more formal of the two since that is how it's been historically.

TODO

  • ...

Checklist

@joshtrichards
SECURITY: Add {links, headings, $, scope, public GH Issues notes}
59366ee 
* Add links to various relevant pages (scope, existing security advisories)
* Add request to not report vulnerabilities in public GH issues
* Mention bounty program
* Reorganized and added some new headings

Signed-off-by: Josh Richards <[email protected]>
@joshtrichards joshtrichards added 3. to review Waiting for reviews security labels Oct 18, 2023
@szaimen szaimen added this to the Nextcloud 28 milestone Oct 18, 2023
@szaimen szaimen requested a review from nickvergessen October 18, 2023 16:14
nickvergessen
nickvergessen reviewed Oct 19, 2023
View reviewed changes
Copy link
Member

@nickvergessen nickvergessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for cleaning this one up.
Some small comments but good step forward :)

@nickvergessen nickvergessen changed the title SECURITY: Add "no public GH Issues please" request, past advisories link, bounty mention, scope link Add "no public GH Issues please" request, past advisories link, bounty mention, scope link to security.md Oct 19, 2023
@joshtrichards @nickvergessen
Apply suggestions
0ded3ad 
Co-authored-by: Joas Schilling <[email protected]>
Signed-off-by: Josh Richards <[email protected]>
@nickvergessen nickvergessen requested a review from szaimen October 20, 2023 13:22
szaimen
szaimen approved these changes Oct 20, 2023
View reviewed changes
Copy link
Contributor

@szaimen szaimen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense and LGTM. Should we apply the same changes to https://github.com/nextcloud/.github/blob/master/SECURITY.md?

@nickvergessen nickvergessen merged commit 73a6061 into master Oct 23, 2023
@nickvergessen nickvergessen deleted the jr-security-policy-expansion branch October 23, 2023 05:19
@joshtrichards joshtrichards mentioned this pull request Oct 23, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nickvergessen nickvergessen nickvergessen approved these changes

@szaimen szaimen szaimen approved these changes

Assignees

No one assigned

Labels

3. to review Waiting for reviews security

Projects

None yet

Milestone

Nextcloud 28

Development

Successfully merging this pull request may close these issues.

4 participants

@joshtrichards @nickvergessen @szaimen