Add SECURITY.md security policy

[tallclair]

Now that github has official support for security policies, some users may expect to find disclosure protocols there. We should make sure every one of our repos links the security policy to https://kubernetes.io/docs/reference/issues-security/security/#report-a-vulnerability to avoid accidental disclosures.

I was originally thinking of merging SECRUITY_CONTACTS into SECURITY.md, but the future of SECURITY_CONTACTS is under active discussion. I'm also worried that people looking for who to contact might reach out to security contacts rather than following our disclosure process (part of the larger discussion).

[k8s-ci-robot]

@tallclair: The label(s) committee/project-security cannot be applied, because the repository doesn't have them

In response to this:

/committee project-security

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tallclair]

/committee product-security

[joelsmith]

/lgtm

[nikhita]

Thank you!

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: joelsmith, nikhita, tallclair

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [nikhita]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[nikhita]

Bump -- GitHub's search API hasn't been consistent these days, which means prow doesn't pick up PRs with approved and lgtm labels correctly sometimes :/

[dims]

@nuthinking @neovintage this is what i mentioned when we were talking last week. we see the glitches from GitHub's search API pretty regularly and our bots have trouble due to the changes in behavior :(

[tallclair]

Is there any tooling to help update all our repos with the new file, or do I need to script it up myself?

[joelsmith]

I have a python bash script that checks out all the repos (if they haven't been checked out), fetches, rebases. Then I use traditional tools to edit the files. Then I use hub and sleep in a bash loop to open PRs. It's pretty ghetto, but works well enough for my purposes. I'm happy to do the mass addition for you if you like, or if you prefer, I can send you my script to use as a starting point.

[tallclair]

Thanks Joel. If you have bandwidth to handle it, that would be great. Alternatively, we might want to wait and see where the SECRUITY_CONTACTS discussion leads, and batch those updates together (although that one might require more manual edits).

[joelsmith]

Yep, I can handle it. Better that only one of has to fork every single k8s repo ;-)

[joelsmith]

All PRs are now open and they all link back to the master issue: kubernetes/committee-security-response#105

Do we need to do the same thing for any other GitHub orgs, such as kubernetes-sigs?

[tallclair]

Thanks! I think we should probably add it for kubernetes-sigs too, even if a lot of those projects aren't eligible for bug-bounty.

[joelsmith]

There are a lot of kubernetes-sigs repos. I wonder if instead of opening a PR against each with the added file, what if we create a kubernetes-sig/.github repo? Apparently, if you create a repo named .github in your org, you can put an org-wide default SECURITY.md (along with other similar policy docs). Then individual sigs can override it as needed, and we don't have to make sure that new repos there get the file added.

According to the docs:

You can create a default security policy for your organization or user account. For more information, see "Creating a default community health file."

The linked doc says:

You can add default community health files to the root of a public repository called .github that is owned by an organization or user account.
GitHub will use and display default files for any public repository owned by the account that does not have its own file of that type in any of the following places:

• the root of the repository
• the .github folder
• the docs folder

[nikhita]

I wonder if instead of opening a PR against each with the added file, what if we create a kubernetes-sig/.github repo? Apparently, if you create a repo named .github in your org, you can put an org-wide default SECURITY.md (along with other similar policy docs).

👍 💯