Adds SECURITY.md to outline our security policies #2086
Conversation
.github/SECURITY.md
Outdated
| from a member of the website working group within 3 working days. After that, | ||
| the website working group will begin their analysis. Depending on the action | ||
| to be taken, you may receive followup emails. It can take several weeks before | ||
| the website working group comes to a conclusion and resolve the issue. |
There was a problem hiding this comment.
I have mostly just copied from Django's security policy. We might want to update.
There was a problem hiding this comment.
I'd remove or extend the 3 working days timeline, we don't need to set a timeline on ourselves like for the framework.
.github/SECURITY.md
Outdated
| - Confirm the problem. | ||
| - Audit code to find any potential similar problems. | ||
| - Apply the relevant patches to the codebase. | ||
| - Deploy the fixed codebase. |
There was a problem hiding this comment.
Do we know how we want to disclose a security issue, since for the website, we don't really need to make releases and ask users to update. Maybe this section should be titled differently. Thoughts?
There was a problem hiding this comment.
My first thought would be, do we even need a disclosure policy at all?
There was a problem hiding this comment.
I doubt we'd need to disclose anything unless user data is compromised.
.github/SECURITY.md
Outdated
| to follow few guidelines that helps us in analysis and resolving the issue quicker. | ||
|
|
||
| - Include a runnable proof of concept to reproduce the issue | ||
| - User input must be sanitized |
There was a problem hiding this comment.
Are there other website specific guidelines we want to add?
There was a problem hiding this comment.
What does "User input must be sanitized" means in this context?
I'm not sure what it means, so it could also be confusing for a reporter.
There was a problem hiding this comment.
+1 - User input must be sanitized is unclear to me too.
.github/SECURITY.md
Outdated
| ## Reporting a Bug | ||
|
|
||
| The Django website working group is committed to responsible reporting and | ||
| disclosure of security-related issue in our website. We appreciate your efforts |
.github/SECURITY.md
Outdated
| from a member of the website working group within 3 working days. After that, | ||
| the website working group will begin their analysis. Depending on the action | ||
| to be taken, you may receive followup emails. It can take several weeks before | ||
| the website working group comes to a conclusion and resolve the issue. |
.github/SECURITY.md
Outdated
| ## Reporting Guidelines | ||
|
|
||
| While reporting a security issue related to the Django website, we encourage | ||
| to follow few guidelines that helps us in analysis and resolving the issue quicker. |
There was a problem hiding this comment.
"we encourage to follow few guidelines that helps us" => "we encourage you to follow a few guidelines that help us"
.github/SECURITY.md
Outdated
| - Confirm the problem. | ||
| - Audit code to find any potential similar problems. | ||
| - Apply the relevant patches to the codebase. | ||
| - Deploy the fixed codebase. |
There was a problem hiding this comment.
I doubt we'd need to disclose anything unless user data is compromised.
There was a problem hiding this comment.
Thank you for starting this @SaptakS
Here are some additional thoughts on content - feel free to incorporate in your own words as this is LLM generated.
- a description of the vulnerability
- steps to reproduce the issue
- any relevant supporting material (e.g., proof-of-concept, screenshots, affected URLs)
- do not publicly disclose the vulnerability until we have confirmed and addressed it
- do not exploit the vulnerability beyond what is necessary to demonstrate it, especially if it permits you access to sensitive or personal data. Respect the privacy of others.
## rewards
We do not offer monetary rewards or bug bounties for vulnerability reports. Please do not request payment for reporting a vulnerability.
## report quality
We welcome well-researched and clearly explained reports.
Automated or low-effort submissions that do not demonstrate a clear security impact are not appreciated and may be discarded after review.
We will always send an acknowledgment of receipt, but reports that lack sufficient detail may not be investigated further.
.github/SECURITY.md
Outdated
| @@ -0,0 +1,46 @@ | |||
| # Security Policies and Procedures | |||
|
|
|||
| This document outlines security procedures and general policies for the Django website (`djangoproject.com`). This is separate from [Django's security policies](https://docs.djangoproject.com/en/dev/internals/security/). | |||
There was a problem hiding this comment.
Should we mention this also covers docs.djangoproject.com since this is the same application?
.github/SECURITY.md
Outdated
| and responsible disclosure. | ||
|
|
||
| Report security bugs and issue by sending an email to website-wg@djangoproject.com. | ||
| For encryption, use: https://keys.openpgp.org/vks/v1/by-fingerprint/AF3516D27D0621171E0CCE25FCB84B8D1D17F80B |
There was a problem hiding this comment.
@SaptakS this does not look correct to me. This key is for security@djangoproject.com. Our working group does not posses the private key so we would be unable to decrypt messages that were encrypted with this key.
Perhaps GitHub's 'report a vulnerability' feature could be recommended instead as a secure alternative? https://github.com/django/djangoproject.com/security/advisories/new
.github/SECURITY.md
Outdated
| to follow few guidelines that helps us in analysis and resolving the issue quicker. | ||
|
|
||
| - Include a runnable proof of concept to reproduce the issue | ||
| - User input must be sanitized |
There was a problem hiding this comment.
+1 - User input must be sanitized is unclear to me too.
.github/SECURITY.md
Outdated
| If you have suggestions on how this process could be improved please submit a | ||
| pull request. |
There was a problem hiding this comment.
Could we make this a direct link to the 'edit file' feature in GitHub? Make it as easy as possible to suggest improvements.
SaptakS
force-pushed
the
add-security-policy
branch
from
240b758 to
db59f49
Compare
SaptakS
force-pushed
the
add-security-policy
branch
from
08a2cb6 to
e96da94
Compare
SaptakS
force-pushed
the
add-security-policy
branch
from
6e9a880 to
0be5a56
Compare
| disclosure of security-related issue on our website. We appreciate your efforts | ||
| and responsible disclosure. | ||
|
|
||
| Report security bugs and issue by creating a |
There was a problem hiding this comment.
| Report security bugs and issue by creating a | |
| Report security bugs and issues by creating a |
There was a problem hiding this comment.
Is "security bug" a thing? I'm missing what we mean here.
There was a problem hiding this comment.
I think 'security defect' is a more common term, but did not want to be nitpicky
| and responsible disclosure. | ||
|
|
||
| Report security bugs and issue by creating a | ||
| [new vulnerability report](https://github.com/django/djangoproject.com/security/advisories/new) |
There was a problem hiding this comment.
A downside of this feature is that it requires the reporter to have a GitHub account. Do we consider that acceptable?
There was a problem hiding this comment.
Discussed this during the October 2nd meeting, we feel the current form suffices.
We'd rather not handle security reports over unencrypted email since the effort of maintaining the required infrastructure (PGP keys etc) is considered not worth the effort for something that is not even the preferred method of reporting defects.
We'll revisit the issue if this ever posses a problem.
5 participants
As discussed in our last meeting, along with a
.well-known/security.txt, it's nice to have aSECURITY.mdto be shown as our security policy in the GitHub Security tab.This PR adds the policies for reporting a bug and disclosing.