From 1e4464777d15583ccb81b5abc1a88a1d080da944 Mon Sep 17 00:00:00 2001 From: thepetk Date: Thu, 22 Aug 2024 11:55:29 +0100 Subject: [PATCH 1/7] Add security.md Signed-off-by: thepetk --- SECURITY.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..e69de29bb From 09e746b186ea8fcbd9b40a7c13f6233ed035288b Mon Sep 17 00:00:00 2001 From: thepetk Date: Thu, 22 Aug 2024 11:57:02 +0100 Subject: [PATCH 2/7] Update content of security.md Signed-off-by: thepetk --- SECURITY.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index e69de29bb..49467ea14 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -0,0 +1,17 @@ +# Reporting of Security Issues + +The devfiles team takes immediate action to address security-related issues involving devfile projects. + +Note, that normally we try to fix issues found for the latest releases of our projects. Backport fixes will be made only for exceptional cases, if the team has identified the need to do so. + +## Reporting process + +When a security vulnerability is found is important to not accidentally broadcast to the world that the issue exists, as this makes it easier for people to exploit it. The preferred way of reporting security issues in Devfiles is listed below. + +### Email team devfile + +An email to team-devfile@redhat.com is the preferred mechanism for outside users to report security issues. A member of the devfile team will open the required issues and keep you up-to-date about the status of the issue. + +### What to avoid + +Do not open a public issue, send a pull request, or disclose any information about the suspected vulnerability publicly, **including in your own publicly visible git repository**. From 7d0436b7ccb97b621631f286f8dbb19295018eab Mon Sep 17 00:00:00 2001 From: thepetk Date: Tue, 3 Sep 2024 16:37:11 +0100 Subject: [PATCH 3/7] Update email address Signed-off-by: thepetk --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 49467ea14..825c2fb7a 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -10,7 +10,7 @@ When a security vulnerability is found is important to not accidentally broadcas ### Email team devfile -An email to team-devfile@redhat.com is the preferred mechanism for outside users to report security issues. A member of the devfile team will open the required issues and keep you up-to-date about the status of the issue. +An email to team-devfile-security@redhat.com is the preferred mechanism for outside users to report security issues. A member of the devfile team will open the required issues and keep you up-to-date about the status of the issue. ### What to avoid From 398b2f8364cc340986bac73bb72e4b686401ea04 Mon Sep 17 00:00:00 2001 From: Theofanis Petkos Date: Tue, 3 Sep 2024 17:02:45 +0100 Subject: [PATCH 4/7] Update SECURITY.md Co-authored-by: Jordan Dubrick Signed-off-by: thepetk --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 825c2fb7a..e287def83 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -12,6 +12,6 @@ When a security vulnerability is found is important to not accidentally broadcas An email to team-devfile-security@redhat.com is the preferred mechanism for outside users to report security issues. A member of the devfile team will open the required issues and keep you up-to-date about the status of the issue. -### What to avoid +## What To Avoid Do not open a public issue, send a pull request, or disclose any information about the suspected vulnerability publicly, **including in your own publicly visible git repository**. From e7c0ece967ed71e63ade3a150a729967a589111a Mon Sep 17 00:00:00 2001 From: Theofanis Petkos Date: Tue, 3 Sep 2024 17:02:52 +0100 Subject: [PATCH 5/7] Update SECURITY.md Co-authored-by: Jordan Dubrick Signed-off-by: thepetk --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index e287def83..5560fed0c 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -8,7 +8,7 @@ Note, that normally we try to fix issues found for the latest releases of our pr When a security vulnerability is found is important to not accidentally broadcast to the world that the issue exists, as this makes it easier for people to exploit it. The preferred way of reporting security issues in Devfiles is listed below. -### Email team devfile +## Contact Us An email to team-devfile-security@redhat.com is the preferred mechanism for outside users to report security issues. A member of the devfile team will open the required issues and keep you up-to-date about the status of the issue. From fc6c76953cd4cd201a74ae6db01f2d3441581924 Mon Sep 17 00:00:00 2001 From: Theofanis Petkos Date: Tue, 3 Sep 2024 17:02:56 +0100 Subject: [PATCH 6/7] Update SECURITY.md Co-authored-by: Jordan Dubrick Signed-off-by: thepetk --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 5560fed0c..59c6db975 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,7 +4,7 @@ The devfiles team takes immediate action to address security-related issues invo Note, that normally we try to fix issues found for the latest releases of our projects. Backport fixes will be made only for exceptional cases, if the team has identified the need to do so. -## Reporting process +## Reporting Process When a security vulnerability is found is important to not accidentally broadcast to the world that the issue exists, as this makes it easier for people to exploit it. The preferred way of reporting security issues in Devfiles is listed below. From a2225c5cf280292355c1f47796792e8e633f3097 Mon Sep 17 00:00:00 2001 From: Theofanis Petkos Date: Tue, 3 Sep 2024 17:04:08 +0100 Subject: [PATCH 7/7] Update SECURITY.md Co-authored-by: Michael Valdron Signed-off-by: thepetk --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 59c6db975..3e67827cd 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -6,7 +6,7 @@ Note, that normally we try to fix issues found for the latest releases of our pr ## Reporting Process -When a security vulnerability is found is important to not accidentally broadcast to the world that the issue exists, as this makes it easier for people to exploit it. The preferred way of reporting security issues in Devfiles is listed below. +When a security vulnerability is found, it is important to not accidentally broadcast publicly that the issue exists to avoid potential exploits. The preferred way of reporting security issues in Devfiles is listed below. ## Contact Us