Skip to content

First pass at defining our threat model and security policy #1630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

First pass at defining our threat model and security policy #1630

wants to merge 4 commits into from

Conversation

JeanChristopheMorinPerso
Copy link
Member

@JeanChristopheMorinPerso JeanChristopheMorinPerso commented Feb 11, 2024
edited
Loading

Fixes #1650

Very WIP. Created a draft PR for visibility.

  • Should we add the assumption that external plugins can be loaded and override builtin plugins?
  • Need to define the kind of threats that we are vulnerable to.
  • Fix typos, etc.

JeanChristopheMorinPerso
JeanChristopheMorinPerso commented Feb 11, 2024
View reviewed changes
SECURITY.md Outdated
* Package definitions, both for building packages and resulting from a build are Python files (`package.py`). Rez will read and load them in memory at resolve time.
* Rez config files can be written in YAML or Python.
* Package definitions and config files written in Python can contain arbitrary code.
* Rez will create new shells via subprocesses.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we state that shells can be nested? I feel like we should since that's differentiator from other environment managers (conda, virtualenv, etc).

SECURITY.md
If you think you've found a potential vulnerability in rez, please report it by filing a GitHub [security
advisory](https://github.com/AcademySoftwareFoundation/rez/security/advisories/new). Alternatively, email [email protected] and provide your contact info for further private/secure discussion. If your email does not receive a prompt acknowledgement, your address may be blocked.

Our policy is to acknowledge the receipt of vulnerability reports within 72 hours.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think 72 hours is reasonable for a first response. Any opinions?

@JeanChristopheMorinPerso JeanChristopheMorinPerso force-pushed the threat_model_and_security_policy branch from c6ad49b to 99839c9 Compare February 11, 2024 02:10
@JeanChristopheMorinPerso
Move security details into the docs
1f02338 
Signed-off-by: Jean-Christophe Morin <[email protected]>
@JeanChristopheMorinPerso JeanChristopheMorinPerso force-pushed the threat_model_and_security_policy branch from 28a8287 to 1f02338 Compare February 29, 2024 00:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add SECURITY.md (security policy, threat model, etc)
1 participant
@JeanChristopheMorinPerso