Re: security vuln reporting policy in GH


Dave Huseby <dhuseby@...>
 

Here's more detail in my thinking. The informational section of the security policy should really just be a link back to the policy/info published on our wiki. As for the set of releases currently being supported, I'm concerned about the maintenance of that. Do you see the maintainers keeping that list up-to-date? I haven't looked at the GH API to see if there is a way for us to refresh it from the CI pipeline when changes to the supported releases are made. Ideally, we'd use Git tags to enumerate the currently supported releases of a given repo and the CI pipeline would run a task to re-generate this policy dock and update it via the GH API.

As I said before, this is a good idea. It never hurts to shout about our security policies on every platform to encourage interaction and contributions that are security focused.

Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...


On Wed, Sep 25, 2019 at 5:48 AM Christopher Ferris <chris.ferris@...> wrote:
Bumping this topic for discussion. Adding to the wiki as well.

Chris

On Fri, Sep 6, 2019 at 11:40 AM Christopher Ferris <chris.ferris@...> wrote:
I know that GH has been reporting vulnerabilities in dependencies for a while now, but I see that they have also added the ability to publish your security vulnerability reporting process via the GH repository.


Seems to me that it would be A Good Thing (tm) to update all the Hyperledger repos with our process, with each project adding in the set of releases covered by the policy.


Thoughts?

Chris

Join tsc@lists.hyperledger.org to automatically receive all group messages.