Create security.md (#521)

rscohn2 · web-flow · commit 8eabe404d7af · 2024-04-10T19:57:45.000Z
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -15,26 +15,29 @@ jobs:
   checks:
     runs-on: ${{ github.repository_owner == 'oneapi-src' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
-    - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c
+    - uses: actions/checkout@v4.1.2
+    - uses: actions/setup-python@v5.1.0
       with:
         python-version: '3.10'
         cache: 'pip'
     - name: Checks
-      uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
+      uses: pre-commit/action@v3.0.1
 
   build:
+    permissions:
+      # needed for upload-artifact
+      actions: write
     runs-on: ${{ github.repository_owner == 'oneapi-src' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+    - uses: actions/checkout@v4.1.2
     - name: Install ubuntu prerequisites
       run: |
         sudo apt update -qq
         xargs -a ubuntu-packages.txt sudo apt install -qq
         curl -s https://www.doxygen.nl/files/doxygen-1.9.6.linux.bin.tar.gz -o /tmp/dox.tgz
         sudo tar zxf /tmp/dox.tgz -C /usr/local
         sudo ln -s /usr/local/doxygen*/bin/* /usr/bin
-    - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c
+    - uses: actions/setup-python@v5.1.0
       with:
         python-version: '3.10'
         cache: 'pip'
@@ -57,23 +60,25 @@ jobs:
         cp -r build/html/* site/spec
         cp build/latex/*.pdf site/spec
     - name: Archive site
-      uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
+      uses: actions/upload-artifact@v4.3.1
       with:
         name: site
         path: site
 
   publish_site:
+    permissions:
+      contents: write
     needs: [checks, build]
     if: ${{ github.ref == 'refs/heads/main' }}
     runs-on: ${{ github.repository_owner == 'oneapi-src' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     steps:
     - name: Checkout gh-pages
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+      uses: actions/checkout@v4.1.2
       with:
         ref: gh-pages
         path: gh-pages
     - name: Retrieve site
-      uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935
+      uses: actions/download-artifact@v4.1.4
       with:
         name: site
         path: gh-pages
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -9,11 +9,11 @@ exclude: LICENSES|source/elements
 
 repos:
 - repo: https://github.com/ambv/black
-  rev: 23.3.0
+  rev: 24.3.0
   hooks:
   - id: black
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.4.0
+  rev: v4.6.0
   hooks:
   - id: trailing-whitespace
   - id: end-of-file-fixer
@@ -24,14 +24,14 @@ repos:
   hooks:
   - id: doc8
 - repo: https://github.com/fsfe/reuse-tool
-  rev: v2.0.0
+  rev: v3.0.2
   hooks:
   - id: reuse
 - repo: https://github.com/pycqa/flake8
-  rev: 6.0.0
+  rev: 7.0.0
   hooks:
   - id: flake8
 - repo: https://github.com/pycqa/isort
-  rev: 5.12.0
+  rev: 5.13.2
   hooks:
   - id: isort
diff --git a/README.rst b/README.rst
@@ -126,11 +126,11 @@ Use the reuse_ tool
 
 Code examples::
 
-  reuse addheader --copyright "Intel Corporation" --year 2020 --license MIT source/examples/host-task.cpp
+  reuse addheader --copyright "Constributors to the oneapi-spec project" --license MIT source/examples/host-task.cpp
 
 Doc sources::
 
-  reuse addheader --copyright "Intel Corporation" --year 2020 --license CC-BY-4.0 source/index.rst
+  reuse addheader --copyright "Constributors to the oneapi-spec project" --license CC-BY-4.0 source/index.rst
 
 
 ----------------
diff --git a/security.md b/security.md
@@ -0,0 +1,74 @@
+<!--
+SPDX-FileCopyrightText: 2024 Constributors to the oneapi-spec project
+
+SPDX-License-Identifier: CC-BY-4.0
+-->
+
+# Security Policy
+As an open-source project, we understand the importance of and responsibility
+for security. This Security policy outlines our guidelines and procedures for
+ensuring the highest level of Security and trust for our users.
+
+## Supported Versions
+We regularly perform patch releases for the supported
+[latest version][1],
+which contain fixes for security vulnerabilities and important bugs. Prior
+releases might receive critical security fixes on a best-effort basis; however,
+we cannot guarantee that security fixes will get back-ported to these
+unsupported versions.
+
+## Report a Vulnerability
+We are very grateful to the security researchers and users that report back
+security vulnerabilities. We investigate every report thoroughly.
+We strongly encourage you to report security vulnerabilities to us privately,
+before disclosing them on public forums or opening a public GitHub issue.
+Report a vulnerability to us in one of two ways:
+* Open a draft [**GitHub Security Advisory**][2]
+* Send e-mail to the following address: **security@lists.uxlfoundation.org**.
+Along with the report, please include the following info:
+  * A descriptive title.
+  * Your name and affiliation (if any).
+  * A description of the technical details of the vulnerabilities.
+  * A minimal example of the vulnerability so we can reproduce your findings.
+  * An explanation of who can exploit this vulnerability, and what they gain
+  when doing so.
+  * Whether this vulnerability is public or known to third parties. If it is,
+  please provide details.
+
+### When Should I Report a Vulnerability?
+* You think you discovered a potential security vulnerability in oneDNN.
+* You are unsure how the potential vulnerability affects oneDNN.
+* You think you discovered a vulnerability in another project or 3rd party
+component on which oneDNN depends. If the issue is not fixed in the 3rd party
+component, try to report directly there first.
+
+### When Should I NOT Report a Vulnerability?
+* You got an automated scan hit and are unable to provide details.
+* You need help using oneDNN for security.
+* You need help applying security-related updates.
+* Your issue is not security-related.
+
+## Security Reports Review Process
+Our goal is to respond quickly to your inquiry, and to coordinate a fix and
+disclosure with you. All confirmed security vulnerabilities will be addressed
+according to severity level and impact on oneDNN. Normally, security issues
+are fixed in the next planned release.
+
+## Disclosure Policy
+We will publish security advisories using the
+[**GitHub Security Advisories feature**][3]
+to keep our community well-informed, and will credit you for your findings
+unless you prefer to stay anonymous. We request that you refrain from
+exploiting the vulnerability or making it public before the official disclosure.
+
+We will disclose the vulnerabilities and/or bugs as soon as possible once
+mitigation is implemented and available.
+
+## Feedback on This Policy
+If you have any suggestions on how this Policy could be improved, please submit
+an issue or a pull request to this repository. Please **do not** report
+potential vulnerabilities or security flaws via a pull request.
+
+[1]: https://github.com/oneapi-src/oneapi-spec/releases/latest
+[2]: https://github.com/oneapi-src/oneapi-spec/security/advisories/new
+[3]: https://github.com/oneapi-src/oneapi-spec/security/advisories
