pulsar icon indicating copy to clipboard operation
pulsar copied to clipboard

Published 20 hours ago verified publisher icon apache

[Security] [Doc] no advice on how to report vulnerabilities

Open hpvd opened this issue 3 years ago • 10 comments
trafficstars

Describe the bug security: no advice on how to report vulnerabilities

To Reproduce Steps to reproduce the behavior:

  1. visit: https://github.com/apache/pulsar/issues/new/choose
  2. click button "view policy": https://github.com/apache/pulsar/security/policy
  3. follow link to: https://pulsar.apache.org/docs/security-policy-and-supported-versions/

see screenshot

Expected behavior an advice how to report vulnerabilities - or is it fine to just open an issue?

Screenshots 2022-08-02_15h43_40

hpvd avatar Aug 02 '22 13:08 hpvd

@sijie @Anonymitaet Do you have any idea/hint/advice on this?

hpvd avatar Aug 05 '22 07:08 hpvd

Hi @hpvd,

Thanks for reporting this issue! I think we can add a short statement to report security vulnerabilities via private mailing list or the ASF security mailing list.

tisonkun avatar Aug 05 '22 23:08 tisonkun

I'll prepare a patch and ask for PMC members to review.

tisonkun avatar Aug 05 '22 23:08 tisonkun

"How to report a Pulsar security issue" is documented in the Contribution guide.

image image

Anonymitaet avatar Aug 08 '22 01:08 Anonymitaet

@Anonymitaet

The only link in SECURITY.md redirects users to "Security Policy and Supported Versions". To reduce confusion, either change the link to "Reporting a Vulnerability" or duplicate the info to the "Security Policy and Supported Versions" page. I prepare a patch of the latter way in #16962, you may give a review comment there.

The third way is we don't redirect from SECURITY.md at all, but inline the information in the file.

tisonkun avatar Aug 08 '22 02:08 tisonkun

https://pulsar.apache.org/docs/next/security-policy-and-supported-versions/ contains the new version, but it is missing from https://pulsar.apache.org/docs/security-policy-and-supported-versions/ . @Anonymitaet I'm reopening this issue until that is resolved.

lhotari avatar Aug 09 '22 08:08 lhotari

@lhotari do you mean that we should cherry-pick (to master) this change to other versioned docs?

tisonkun avatar Aug 09 '22 08:08 tisonkun

@lhotari do you mean that we should cherry-pick (to master) this change to other versioned docs?

@tisonkun I guess that is need. In addition I think it's necessary to inline the information to SECURITY.md so that the information isn't missing at least from that page.

lhotari avatar Aug 09 '22 10:08 lhotari

@Anonymitaet how can we get https://pulsar.apache.org/docs/security-policy-and-supported-versions/ to match what is seen at https://pulsar.apache.org/docs/next/security-policy-and-supported-versions/ (to include #16962 changes)?

lhotari avatar Aug 09 '22 10:08 lhotari

@lhotari Do you mean bringing #16962 changes to 2.10.1? If so, just copy and paste

Anonymitaet avatar Aug 10 '22 02:08 Anonymitaet

Great catch, @hpvd. I didn't realize I had missed advising how to report a vulnerability. I agree with duplicating the information in the SECURITY.md file. This information won't change with any frequency, and it is imperative to make it easy to find.

I'd like to propose that we don't version the security page, but instead have some top level tab (or something like that) to make it easy to find and maintain.

michaeljmarshall avatar Aug 10 '22 17:08 michaeljmarshall

@michaeljmarshall shall we close this issue since #17039 merged? Or you'd like to complete it after we move the doc outside from versioned ones.

tisonkun avatar Aug 18 '22 06:08 tisonkun

Thanks for following up @tisonkun, yes, I believe #17039 completes this issue. Please reopen the issue if you see any issues @hpvd.

michaeljmarshall avatar Aug 18 '22 06:08 michaeljmarshall