Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Security Policy #755

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Conversation

niccokunzmann
Copy link
Member

@niccokunzmann niccokunzmann commented Dec 2, 2024

This adds a security policy as reguired by tidelift

See https://icalendar--755.org.readthedocs.build/en/755/security.html

After the merge, I will activate the policy on GitHub here: https://github.com/collective/icalendar/security


📚 Documentation preview 📚: https://icalendar--755.org.readthedocs.build/

@coveralls
Copy link

coveralls commented Dec 2, 2024

Pull Request Test Coverage Report for Build 12467547779

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 96.372%

Totals Coverage Status
Change from base Build 12452278202: 0.0%
Covered Lines: 4580
Relevant Lines: 4747

💛 - Coveralls

Copy link
Member

@stevepiercy stevepiercy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comment.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For a security policy, see examples at:

It's really up to you what you want to include. If you have another revision after reviewing the above items, please @ me and I'll take another look. I'd suggest incorporating some bits and pieces from the above, especially how to work with CVEs.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the links! I changed it to link to the Plone security page.

I will also write to the security team to ask if they have any feedback on this change.

docs/security.rst Outdated Show resolved Hide resolved
docs/security.rst Outdated Show resolved Hide resolved
-------------------------

Please `report vulnerabilities of icalendar to Plone
<https://github.com/plone/.github/blob/main/SECURITY.md#readme>`_.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do not refer to links that refer to links, especially if you cannot honor the policies to which they refer. You should instead grab the relevant bits that you want to follow and incorporate them into your custom security policy.

As this states, eventually people may report the security issue to [email protected]. Are you a member of that email group? If not, you would need to discuss with them how to handle reports for icalendar sent to that address. It may be better to use another address.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can activate GitHub's security reporting for this project.

I wonder: If a vulnerability gets reported on GitHub, then the other Plone packages do not know it exists.
If a vulnerability is reported to Plone, then I do not know it was reported.

Thus, I wonder what to do. We have two different groups here that are affected. I asked the security team to enlighten us here.

Also, nobody reported anything like this for years and it is unlikely to happen. So. I wonder if this is hypothetical. But a report should also not go into the void after a few years.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can activate GitHub's security reporting for this project.

To enable GitHub security, you create a SECURITY.md file at the root of your repo. GitHub should automatically detect it. It's nothing magical. It's mere documentation of how to report security issues, and how you will respond to them.

I wonder: If a vulnerability gets reported on GitHub, then the other Plone packages do not know it exists. If a vulnerability is reported to Plone, then I do not know it was reported.

Thus, I wonder what to do. We have two different groups here that are affected. I asked the security team to enlighten us here.

I would follow Pylons Project's workflow, modified to your preference.

https://github.com/Pylons/.github/blob/main/SECURITY.md

To summarize:

  1. Users report security issues responsibly and in a manner that allows maintainers to respond in a timely and effective manner.
  2. Maintainers verify and fix.
  3. All the bullet points at that link.

I have no insight into the Plone Security Team's internal process. I'm not a member, and it's not transparent. I never received a report back of what they did for an issue that I recently reported to them.

Also, nobody reported anything like this for years and it is unlikely to happen. So. I wonder if this is hypothetical. But a report should also not go into the void after a few years.

It's only hypothetical until it's not, and then it's too late.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for all the replies.

GitHub also allows security reporting. This is how it looks from the outside from the Open Web Calendar, my project. There is a button to report.
grafik

I like the one you showed me (Pylons). This is also nice to follow for someone (me) who did not go through this process yet but is in a position of responsibility.

  • I will copy that in.
  • change the links
  • use githubs security report feature - mainly because I do not want to maintain an independent list of who gets notified - it should be the GitHub project's maintainers.
  • I would add that we also notify the Plone security team.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did not know that GitHub had that feature. Your plan sounds good to me.

<https://github.com/plone/.github/blob/main/SECURITY.md#readme>`_.
If you cannot do this, please contact one of the
:ref:`maintainers`
directly or open an issue.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should not ask people to open a security issue in a public arena, such as an issue tracker. This also conflicts with the link above, which links to https://plone.org/security/report.

If you want to create an email distribution group, and add members to it to review security, I'd suggest following Pylon Project's example as in https://groups.google.com/g/pylons-project-security/ or other free email group distribution list service that is less Google-y.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would opt for the GitHub process. This way, we do not need to maintain another list.

docs/security.rst Outdated Show resolved Hide resolved
@niccokunzmann
Copy link
Member Author

niccokunzmann commented Dec 23, 2024

@stevepiercy Thanks for all that help! Please review again ❤️

  • As of now, once merged, we need to activate this green button on the project.
  • Also, I will wait for at least two weeks to give Plone's security team a chance to review before merge. (until Monday 6th Jan 2025)
  • Create direct link to report security, see here
  • Create link to page with security announcements on GitHub.
  • add link to tidelift in funding.yml

Copy link
Member

@stevepiercy stevepiercy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Only question is about the direct link, but I assume that can come after this is merged.

docs/security.rst Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants