update: report vulnerability via github, not email #155
Conversation
✅ Deploy Preview for erlang-org ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
kikofernandez
force-pushed
the
master
branch
2 times, most recently
from
ac185d4 to
8be4e10
Compare
kikofernandez
force-pushed
the
master
branch
2 times, most recently
from
952bae3 to
df07665
Compare
|
I am not sure I understand what netlify is complaining about... |
u3s
left a comment
u3s
left a comment
There was a problem hiding this comment.
I don't know how this security tab on github really works.
I think, I don't have enough privileges for handling the items properly.
There is some procedure behind handling those items on github, I would like to understand it before we change way of working with community.
|
I pushed a fix to master for the redirect rules. If you rebase the PR, CI should now pass. |
|
It is quite simple to add a new page with the security information instead of a news item. We could then link from it from the downloads page? |
|
Ok, I have added a new Security page in the header. But I can put some description in the Downloads and add it there. Please, let me know if anyone disagrees, and propose change :) |
|
also some other remaining part regarding news/172. I think I have finished that now |
Co-authored-by: Lukas Backström (FKA Larsson) <[email protected]>
|
@IngelaAndin and/or @u3s , I know there were concerns about using Github Securities, at least until Security Masters feel ok using it. Whenever that happens, let me know and I merge the PR :) |
This RFC is recommended by govs around the world, CISA, IESG, and has been accepted by IETF. security.txt is an accepted standard for website security information that allows security researchers to report security vulnerabilities easily.
|
Given that we are discussing this PR soon, I also added a new file to indicate researchers how to tell us about vulnerabilities. This has been recommended by CISA, Nederland Gov, UK Gov, many Swedish websites (even H&M has one), Google, Facebook, Github, etc. It is something small that seems to serve a good purpose. I think we should add it, even if it means placing a ticket to as a reminder to renew the date. |
|
Merging on Monday, 14:00 unless someone objects |
Co-authored-by: Lukas Backström (FKA Larsson) <[email protected]>
5 participants
This PR updates how users should report security vulnerabilities in Erlang/OTP.
I have added a deprecation note on the old post from 2017, remove references to emailing us security vulnerabilities (usually users do not encrypt these messages), and copy-pasted news/111 into news/172 removing also references to bugs.erlang.org (which points to https://github.com/erlang/otp/issues).
I am going to ask @u3s and @IngelaAndin to review this description as security experts in Erlang/OTP :)