Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Security Policy #755

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Conversation

niccokunzmann
Copy link
Member

@niccokunzmann niccokunzmann commented Dec 2, 2024

This adds a security policy as reguired by tidelift

See https://icalendar--755.org.readthedocs.build/en/755/security.html

After the merge, I will activate the policy on GitHub here: https://github.com/collective/icalendar/security


📚 Documentation preview 📚: https://icalendar--755.org.readthedocs.build/

@coveralls
Copy link

coveralls commented Dec 2, 2024

Pull Request Test Coverage Report for Build 12449439023

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 96.355%

Totals Coverage Status
Change from base Build 12336865356: 0.0%
Covered Lines: 4580
Relevant Lines: 4747

💛 - Coveralls

Copy link
Member

@stevepiercy stevepiercy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comment.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For a security policy, see examples at:

It's really up to you what you want to include. If you have another revision after reviewing the above items, please @ me and I'll take another look. I'd suggest incorporating some bits and pieces from the above, especially how to work with CVEs.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the links! I changed it to link to the Plone security page.

I will also write to the security team to ask if they have any feedback on this change.

docs/security.rst Outdated Show resolved Hide resolved
docs/security.rst Outdated Show resolved Hide resolved
-------------------------

Please `report vulnerabilities of icalendar to Plone
<https://github.com/plone/.github/blob/main/SECURITY.md#readme>`_.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do not refer to links that refer to links, especially if you cannot honor the policies to which they refer. You should instead grab the relevant bits that you want to follow and incorporate them into your custom security policy.

As this states, eventually people may report the security issue to [email protected]. Are you a member of that email group? If not, you would need to discuss with them how to handle reports for icalendar sent to that address. It may be better to use another address.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can activate GitHub's security reporting for this project.

I wonder: If a vulnerability gets reported on GitHub, then the other Plone packages do not know it exists.
If a vulnerability is reported to Plone, then I do not know it was reported.

Thus, I wonder what to do. We have two different groups here that are affected. I asked the security team to enlighten us here.

Also, nobody reported anything like this for years and it is unlikely to happen. So. I wonder if this is hypothetical. But a report should also not go into the void after a few years.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can activate GitHub's security reporting for this project.

To enable GitHub security, you create a SECURITY.md file at the root of your repo. GitHub should automatically detect it. It's nothing magical. It's mere documentation of how to report security issues, and how you will respond to them.

I wonder: If a vulnerability gets reported on GitHub, then the other Plone packages do not know it exists. If a vulnerability is reported to Plone, then I do not know it was reported.

Thus, I wonder what to do. We have two different groups here that are affected. I asked the security team to enlighten us here.

I would follow Pylons Project's workflow, modified to your preference.

https://github.com/Pylons/.github/blob/main/SECURITY.md

To summarize:

  1. Users report security issues responsibly and in a manner that allows maintainers to respond in a timely and effective manner.
  2. Maintainers verify and fix.
  3. All the bullet points at that link.

I have no insight into the Plone Security Team's internal process. I'm not a member, and it's not transparent. I never received a report back of what they did for an issue that I recently reported to them.

Also, nobody reported anything like this for years and it is unlikely to happen. So. I wonder if this is hypothetical. But a report should also not go into the void after a few years.

It's only hypothetical until it's not, and then it's too late.

<https://github.com/plone/.github/blob/main/SECURITY.md#readme>`_.
If you cannot do this, please contact one of the
:ref:`maintainers`
directly or open an issue.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should not ask people to open a security issue in a public arena, such as an issue tracker. This also conflicts with the link above, which links to https://plone.org/security/report.

If you want to create an email distribution group, and add members to it to review security, I'd suggest following Pylon Project's example as in https://groups.google.com/g/pylons-project-security/ or other free email group distribution list service that is less Google-y.

* - 4.*
- ❌
* - < 4.*
- ❌
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For accessibility, I'm not a fan of emoji. Better to use "yes" and "no" for screen reader happiness.

niccokunzmann and others added 2 commits December 21, 2024 23:57
Co-authored-by: Steve Piercy <[email protected]>
Co-authored-by: Steve Piercy <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants