apache
[BUG] issues with Hertzbeat Security docs
Is there an existing issue for this?
- [X] I have searched the existing issues
Current Behavior
The link to report a security issue on https://github.com/apache/hertzbeat/issues/new/choose is not ASF standard practice. It is my understanding that all security issues relating to ASF projects and podlings need to be reported to an ASF mailing list. The default is [email protected] but some well established projects have mailing lists of form [email protected]. These mails are visible to the ASF Security team and this allows independent monitoring of whether ASF teams are dealing with reports.
I also think that https://github.com/apache/hertzbeat?tab=security-ov-file#readme should be updated to explicitly link to https://www.apache.org/security/ and to be much more explicit about the need to keep the issue private until the project team gets to look at the issue and if necessary, attempt a fix.
fyi @raboof
Expected Behavior
Follow standard ASF Security practices
Steps To Reproduce
No response
Environment
HertzBeat version(s):
Debug logs
No response
Anything else?
No response
The link to report a security issue on https://github.com/apache/hertzbeat/issues/new/choose is not ASF standard practice. It is my understanding that all security issues relating to ASF projects and podlings need to be reported to an ASF mailing list. The default is [email protected] but some well established projects have mailing lists of form [email protected]. These mails are visible to the ASF Security team and this allows independent monitoring of whether ASF teams are dealing with reports.
Yes, we should disable the option to report security issues through GitHub Private Vulnerability Reporting, because it currently does not leave the correct audit log. Before disabling GitHub Private Vulnerability Reporting for Hertzbeat, though, we should double-check the issues reported through this mechanism have since been dealt with the ASF way. @tomsun28 can you (and the rest of the PPMC) double-check this?
Looking further ahead, we do want to enable projects to opt-in into accepting security issues through GitHub Private Vulnerability Reporting. However, before we can enable this, we must put into place the proper audit mechanisms. This is tracked in https://issues.apache.org/jira/browse/INFRA-25020 (private link).
I also think that https://github.com/apache/hertzbeat?tab=security-ov-file#readme should be updated to explicitly link to https://www.apache.org/security/
I agree that would be good. This might also be a good place to describe Hertzbeat's security model - see https://cwiki.apache.org/confluence/display/SECURITY/Documenting+your+security+model for more information on that.
Yes, we should disable the option to report security issues through GitHub Private Vulnerability Reporting, because it currently does not leave the correct audit log. Before disabling GitHub Private Vulnerability Reporting for Hertzbeat, though, we should double-check the issues reported through this mechanism have since been dealt with the ASF way. @tomsun28 can you (and the rest of the PPMC) double-check this?
Hi raboof thanks suggest. I have double checked that all security vulnerability reports since HertzBeat joined ASF incubator are been dealt with the ASF way. It seems that we dont have the permission to disable this option. I will ask infra team for help.
I agree that would be good. This might also be a good place to describe Hertzbeat's security model - see https://cwiki.apache.org/confluence/display/SECURITY/Documenting+your+security+model for more information on that.
yes we have just added the HertzBeat's security model doc. https://hertzbeat.apache.org/docs/help/security_model
Yes, we should disable the option to report security issues through GitHub Private Vulnerability Reporting, because it currently does not leave the correct audit log. Before disabling GitHub Private Vulnerability Reporting for Hertzbeat, though, we should double-check the issues reported through this mechanism have since been dealt with the ASF way. @tomsun28 can you (and the rest of the PPMC) double-check this?
Hi raboof thanks suggest. I have double checked that all security vulnerability reports since HertzBeat joined ASF incubator are been dealt with the ASF way. It seems that we dont have the permission to disable this option. I will ask infra team for help.
Thanks - I have disabled the feature.
I agree that would be good. This might also be a good place to describe Hertzbeat's security model - see https://cwiki.apache.org/confluence/display/SECURITY/Documenting+your+security+model for more information on that.
yes we have just added the HertzBeat's security model doc. https://hertzbeat.apache.org/docs/help/security_model
Awesome! It might be nice to add the documentation on how to privately report an issue to that page as well? Then you can replace the 'Security' link in the main menu with a link to that page.
Awesome! It might be nice to add the documentation on how to privately report an issue to that page as well? Then you can replace the 'Security' link in the main menu with a link to that page.
ok i will update these doc.