-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#12023 Add GitHub security policy #12024
Conversation
I left the file as /SECURITY.md to be as visible as possible For now SECURITY.md has the same content as docs/security.rst Maybe /SECURITY.md can be brief, just an introduction and then link to our full security reporting page What do you think needs-review |
We take security very seriously. | ||
Your input and feedback on our security is always appreciated. | ||
|
||
You can send urgent or sensitive reports directly to security@twistedmatrix.com | ||
You can send urgent or sensitive reports via `GitHub Security Advisory <https://github.com/twisted/twisted/security/advisories/new>`_. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that we should also add a big warning at the start of this document, to mention that any security PR should be done via private repos using the GitHub functionalty.
Otherwise, by creating a normal PR the bug is disclosed before the fix being ready :)
The file should be |
The rename is done. My suggetion is to keep SECURITY.MD brief. Just inform that security reports should be done by clicking the button from top right. Inform that no public ticket or public PR should be made for this issue, and that the GitHub process will handle the privacy. Also provide a link to the security.rst full docs. What do you think? |
As we try to receive money from Tidelift, for each CVE we will need to answer to these questions:
I see that for previous CVEs (Twisted releases), someone from Tidelift has already answered these questions. I think that the questions are reasonable, and we might want include them in the release notes for a security issue. |
I'd say let's just land this since it seems mostly fine, and possibly do the clean-up you're suggesting in a follow-up. |
Thanks for the review. I have enabled the auto-merge. |
Scope and purpose
Fixes #12023
Right now the main "Security" page for twisted/twisted looks like
We would like have the security info right away. something like electron
In order to actual see the result of this PR, it needs to be merged
You can view the content of the file at https://github.com/twisted/twisted/blob/12023-github-security-policy/.SECURITY.md