Add security contact information #10
Conversation
Add instructions for reporting security vulnerabilities
| @@ -67,4 +67,6 @@ requested and approved by the OpenELA TSC on a per-individual basis. | |||
|
|
|||
| ## Contacting the OpenELA TSC | |||
|
|
|||
| The TSC can be contacted via the email address: [[email protected]](mailto:[email protected]) | |||
| The TSC can be contacted via the email address: [[email protected]](mailto:[email protected]) | |||
There was a problem hiding this comment.
Nit: missing dot at the end of the line
There was a problem hiding this comment.
i'll respin this PR without modifying that line
| Please report security issues to the Technical Steering Committee. | ||
| https://github.com/openela/governance/tree/main/TSC#contacting-the-openela-tsc | ||
|
|
||
| We encourage the use of GPG encrypted email. |
There was a problem hiding this comment.
Fine. I wonder if we could simply use the GitHub builtin vulnerability reporting instead? Would allow collaboration on issues.
There was a problem hiding this comment.
That would probably work assuming the TSC gets notified. The one complication is that we'd be directing folks to use a specific repository (the issues repository, which doesn't exist yet) rather than allowing issues everywhere in openela-main, and that would prevent the private-issues-reporting tool from creating forks (since it'd be a different repository).
|
I'm going to hold off on this for now. Dirk is right that native github vulnerability handling is better than emailing the TSC, however those issues should go into the not-yet-created catchall project we're going to have for filing and responding to issues, so we can pick this back up once that repository is available. |
No description provided.