turf icon indicating copy to clipboard operation
turf copied to clipboard

Published 20 hours ago verified publisher icon Turfjs

[security] Set security policy

Open gabibguti opened this issue 2 years ago • 5 comments

Adding a Security Policy is important because it provides clear instructions on how to report security vulnerabilities. It also sets expectations of when vulnerabilities will be disclosed.

I previously recommended https://github.com/Turfjs/turf/issues/2413, which is also related to security and recommended by Github and Scorecard.

If you agree, I can open a PR to suggest a Security Policy. We can then work together to communicate how the repo can best handle vulnerability reports.

Additional context

Hi again! I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)

I am not including the regular issue template information, such as version of Turf, GeoJSON, and code snippets, because this is a security-related issue. I understand that the template would not be appropriate for this type of issue.

gabibguti avatar Apr 10 '23 17:04 gabibguti

Hi @gabibguti, thanks for raising this. I agree a security policy probably makes sense for a project operating at the size of Turf.js. Do you have any examples of what this might look like? One issue I'm foreseeing is we do not have a way to currently contact the maintainers privately - I'm not sure if this would be a requirement?

JamesLMilner avatar Apr 25 '23 19:04 JamesLMilner

Hi @JamesLMilner!

Yes, here are a few examples: https://github.com/emscripten-core/emscripten/security/policy https://github.com/dustin/go-humanize/security/policy https://github.com/Cyan4973/xxHash/security/policy

About contacting the maintainers privately, GitHub has a Private vulnerability reporting feature, currently in public beta. Private reports are not mandatory but strongly recommended.

gabibguti avatar Apr 28 '23 14:04 gabibguti

Hi! Friendly ping here. Do you still plan on considering this change? Otherwise we can close as not planned for now :)

gabibguti avatar Aug 23 '23 22:08 gabibguti

Hi @gabibguti - thanks for providing the detailed examples, sorry about the delayed response. Turf has a few maintainers but unfortunately we can't always dedicate as much time as we'd like to Turf.js. They look great and I am sure we could produce something similar. My main concern is we don't have a sensible way to contact the maintainers privately as it stands - in theory we have an email address but it is mostly unchecked. I would suggest private vulnerability reporting would make the most sense here. Let me see how to go about setting that up for the project. Thanks!

JamesLMilner avatar Aug 25 '23 22:08 JamesLMilner

Hi! No problem! Ok! Sending here a quick guide if it helps:

How to enable private vulnerability reporting
  1. Open "Code security and analysis" settings
  2. Click "Enable" for "Private vulnerability reporting (Beta)"

Then, you can create new reports at https://github.com/Turfjs/turf/security/advisories/new.

gabibguti avatar Sep 25 '23 20:09 gabibguti