Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SECURITY.md #85

Merged
merged 1 commit into from
Oct 28, 2024
Merged

Add SECURITY.md #85

merged 1 commit into from
Oct 28, 2024

Conversation

TravisCarden
Copy link
Collaborator

@TravisCarden TravisCarden commented Mar 3, 2023
edited
Loading

Context/background: #79 (comment)

@TravisCarden TravisCarden mentioned this pull request Mar 3, 2023
Open
4 tasks
@effulgentsia effulgentsia added the needs drupal release manager review https://www.drupal.org/contribute/core/maintainers#release-manager label Mar 3, 2023
@greggles
Copy link

greggles commented Mar 5, 2023
edited
Loading

I'm so glad you're working on this. Seems like a good start.

Some thoughts:

  • Maybe this should be linked from the README like "See the security guide for how to report security issues"?
  • We can clarify here that the Drupal Security process is a "hall of fame" system and can issue CVEs.
  • I tend not to use all caps in docs and prefer a "please" but I think please is kinda controversial. Maybe an emoji could help?

Something like this, perhaps:

  • 🛑 Please do not report vulnerabilities in this project in public Github issues.
  • ✅ Please report via the Drupal Security Team's reporting queue.

Also, should issues for this be reported to the core component? Normally if this had a project page on drupal.org there would be a project to assign it to on security.drupal.org but...without that where should this go? Wherever it is we can link directly to that reporting page in addition to the policy pages.

@xjm
Copy link

xjm commented Mar 6, 2023
edited
Loading

Well, Drupal's content guidelines advise against the use of the word "please" in d.o content and prohibit it entirely in Drupal's UI text, so I would leave out the "please". Fewer words is also generally preferable.

@greggles
Copy link

greggles commented Mar 6, 2023

I guess that is this style guide? I see that advice, thanks. I also see the word please in a bunch of spots on that page, interestingly.

So, "please" is out. Noted.

@TravisCarden TravisCarden changed the base branch from xdevelop to develop March 8, 2023 16:20
@TravisCarden TravisCarden added the documentation Improvements or additions to documentation label Nov 14, 2023
@TravisCarden TravisCarden force-pushed the feature/security-policy branch from 81f26a5 to 694821a Compare November 14, 2023 18:33
@TravisCarden TravisCarden force-pushed the feature/security-policy branch from 694821a to ed8a475 Compare November 14, 2023 18:34
@catch56
Copy link

catch56 commented Oct 25, 2024

I think this is a good start, we could improve it later if/when we need to.

@TravisCarden
Copy link
Collaborator Author

Alright. We'll do that then.

@TravisCarden TravisCarden merged commit 6a91fdf into php-tuf:develop Oct 28, 2024
@TravisCarden TravisCarden deleted the feature/security-policy branch October 28, 2024 19:00
@TravisCarden TravisCarden changed the title Add SECURITY.md Add SECURITY.md Nov 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation needs drupal release manager review https://www.drupal.org/contribute/core/maintainers#release-manager
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@TravisCarden @greggles @xjm @catch56 @effulgentsia