ion-java icon indicating copy to clipboard operation
ion-java copied to clipboard
verified publisher icon amzn

Improve vulnerability reporting

Open Marcono1234 opened this issue 2 years ago • 6 comments

Hello, could you please improve the vulnerability reporting experience? In particular:

  • Add a SECURITY.md file, the current mention in CONTRIBUTING.md might not be immediately noticeable
  • Replace http:// with https:// URLs, at the very least please for the vulnerability reporting URL in CONTRIBUTING.md
  • Consider using GitHub's private vulnerability reporting instead of requiring reports to the AWS Security team. It appears the AWS Security team is not necessarily excepting reports for amazon-ion, and the communication over e-mail might be a bit tedious.

Note that this is not specific to ion-java, but probably applies to all amazon-ion repositories.

Marcono1234 avatar Apr 30 '23 22:04 Marcono1234

@tgregg, @zslayton, @popematt

The reason why I created this issue is also because a few weeks before I wrote to [email protected]. After some back and forth I got the following response:

We have raised this with the appropriate team to address the issue

So I hope it did actually reach you, but I am not sure because so far I haven't seen any fixes for that issue. I am not planning to disclose the content of that report here though.

Marcono1234 avatar Jun 25 '23 16:06 Marcono1234

Hi @Marcono1234,

Thank you for bringing this up, and I'm sorry that it has taken this long to get back to you.

We can certainly update all of the http links. For the other two items you mentioned, we'll need to talk to our security team to find out if they're okay with those changes.

In the meantime, if you would like, you can email us at [email protected] with a brief summary of the issue you reported, and we can confirm to you whether or not we were informed about it.

popematt avatar Jun 25 '23 17:06 popematt

In the meantime, if you would like, you can email us at [email protected] with a brief summary of the issue you reported, and we can confirm to you whether or not we were informed about it.

Thanks! I have just forwarded the original mail to that address, it is not that long, so I hope that is ok for you.

Marcono1234 avatar Jun 25 '23 17:06 Marcono1234

Thank you. We will look into this.

popematt avatar Jun 26 '23 19:06 popematt

@Marcono1234, thanks for your patience with this. As you can probably guess, some of these changes require some work behind closed doors with our security teams and from the outside it might look like we are doing nothing.

Here are some of the changes that have happened so far:

  • We now have a security policy set up for the amazon-ion organization that applies to all repos. See https://github.com/amazon-ion/ion-java/security/policy, for example.
  • We have coordinated with AWS Security to ensure that they are expecting reports about Ion and that all security disclosures will be shared with us regardless of the severity of the issue, its eligibility for any bug bounty programs, etc.
  • We are switching the links in CONTRIBUTING.md to use https (#554).

popematt avatar Aug 23 '23 18:08 popematt

Thanks a lot for the update! The changes look and sound good to me.

We are switching the links in CONTRIBUTING.md to use https

In case you aren't aware of it yet, SECURITY.md and CONTRIBUTING.md in https://github.com/amazon-ion/.github still use http:// for the vulnerability reporting URL.

Marcono1234 avatar Aug 24 '23 18:08 Marcono1234