Re: security vuln reporting policy in GH

Dave Huseby <dhuseby@...>

Here's more detail in my thinking. The informational section of the security policy should really just be a link back to the policy/info published on our wiki. As for the set of releases currently being supported, I'm concerned about the maintenance of that. Do you see the maintainers keeping that list up-to-date? I haven't looked at the GH API to see if there is a way for us to refresh it from the CI pipeline when changes to the supported releases are made. Ideally, we'd use Git tags to enumerate the currently supported releases of a given repo and the CI pipeline would run a task to re-generate this policy dock and update it via the GH API.

As I said before, this is a good idea. It never hurts to shout about our security policies on every platform to encourage interaction and contributions that are security focused.

David Huseby
Security Maven, Hyperledger
The Linux Foundation

On Wed, Sep 25, 2019 at 5:48 AM Christopher Ferris <chris.ferris@...> wrote:
Bumping this topic for discussion. Adding to the wiki as well.


On Fri, Sep 6, 2019 at 11:40 AM Christopher Ferris <chris.ferris@...> wrote:
I know that GH has been reporting vulnerabilities in dependencies for a while now, but I see that they have also added the ability to publish your security vulnerability reporting process via the GH repository.

Seems to me that it would be A Good Thing (tm) to update all the Hyperledger repos with our process, with each project adding in the set of releases covered by the policy.



Join to automatically receive all group messages.