Community: Set security policies

Created on 1 Jul 2020  路  8Comments  路  Source: open-telemetry/community

We should have a private [email protected] alias, GPG key, and set up SECURITY.md for all our repos.

Most helpful comment

Not claiming it's a best practice, but just as a reference to what we did in Jaeger. Website footer contains a link to report security issues

image

which takes you to https://www.jaegertracing.io/report-security-issue/

All 8 comments

Do you have some links on best practices on how it will be used?

Not claiming it's a best practice, but just as a reference to what we did in Jaeger. Website footer contains a link to report security issues

image

which takes you to https://www.jaegertracing.io/report-security-issue/

That's correct, the goal is to enable people with critical security issues to responsibly disclose to us without going through public issue trackers, in order to allow us to remediate, push releases, and issue security advisories.

I'll bring this up at Governance this week, but it's probably more properly a matter for the TC.

Added to TC meeting agenda

I would also recommend each repo to add an issue template "Report a security vulnerability".

Cf: https://github.com/jaegertracing/jaeger/issues/new/choose

That one is actually a link to the policy, which is created automatically when you add a SECURITY.md to the repo.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

WPH95 picture WPH95  路  3Comments

ahayworth picture ahayworth  路  3Comments

breedx-splk picture breedx-splk  路  3Comments

lalitb picture lalitb  路  3Comments

dashpole picture dashpole  路  3Comments