Set security policies #401
Comments
|
Do you have some links on best practices on how it will be used? |
|
Not claiming it's a best practice, but just as a reference to what we did in Jaeger. Website footer contains a link to report security issues
which takes you to https://www.jaegertracing.io/report-security-issue/ |
|
That's correct, the goal is to enable people with critical security issues to responsibly disclose to us without going through public issue trackers, in order to allow us to remediate, push releases, and issue security advisories. |
|
I'll bring this up at Governance this week, but it's probably more properly a matter for the TC. |
|
Added to TC meeting agenda |
|
Related PR by @jpkrohling: open-telemetry/opentelemetry-specification#990 |
|
I would also recommend each repo to add an issue template "Report a security vulnerability". Cf: https://github.com/jaegertracing/jaeger/issues/new/choose |
|
That one is actually a link to the policy, which is created automatically when you add a SECURITY.md to the repo. |
|
@open-telemetry/technical-committee just checking if this is still an open issue, or is resolved by open-telemetry/.github#1? thx! |
|
@trask I think this can be resolved. The one from the meta repo also shows up here at https://github.com/open-telemetry/community/security/policy. |
|
Related: open-telemetry/sig-security#75 |
We should have a private [email protected] alias, GPG key, and set up SECURITY.md for all our repos.
The text was updated successfully, but these errors were encountered: