community Set security policies

We should have a private [email protected] alias, GPG key, and set up SECURITY.md for all our repos.

Jul 01 '20 15:07 lizthegrey

Do you have some links on best practices on how it will be used?

Jul 01 '20 21:07 SergeyKanzhelev

Not claiming it's a best practice, but just as a reference to what we did in Jaeger. Website footer contains a link to report security issues

which takes you to https://www.jaegertracing.io/report-security-issue/

Jul 01 '20 22:07 yurishkuro

That's correct, the goal is to enable people with critical security issues to responsibly disclose to us without going through public issue trackers, in order to allow us to remediate, push releases, and issue security advisories.

Jul 02 '20 19:07 lizthegrey

I'll bring this up at Governance this week, but it's probably more properly a matter for the TC.

Jul 09 '20 15:07 lizthegrey

Added to TC meeting agenda

Sep 17 '20 07:09 SergeyKanzhelev

Related PR by @jpkrohling: https://github.com/open-telemetry/opentelemetry-specification/pull/990

Sep 23 '20 07:09 arminru

I would also recommend each repo to add an issue template "Report a security vulnerability".

Cf: https://github.com/jaegertracing/jaeger/issues/new/choose

Sep 23 '20 18:09 yurishkuro

That one is actually a link to the policy, which is created automatically when you add a SECURITY.md to the repo.

Sep 23 '20 18:09 jpkrohling

@open-telemetry/technical-committee just checking if this is still an open issue, or is resolved by https://github.com/open-telemetry/.github/pull/1? thx!

Jan 12 '23 19:01 trask

@trask I think this can be resolved. The one from the meta repo also shows up here at https://github.com/open-telemetry/community/security/policy.

Jan 25 '23 17:01 arminru

Related: https://github.com/open-telemetry/community/issues/1338

Jan 25 '23 18:01 yurishkuro

community community copied to clipboard

Set security policies

community
community copied to clipboard