Skip to content

Docs: Create Security Policy #75

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 25, 2023
Merged

Docs: Create Security Policy #75

merged 3 commits into from
Sep 25, 2023

Conversation

diogoteles08
Copy link
Contributor

Closes #74

I've created the SECURITY.md file following a GitHub's template and considering that you'd request that users report vulnerabilities through the security advisory, which is a handy new GitHub feature, but it's still in beta and has to be manually enabled by a maintainer.

If you're interested in this feature, you can activate it following this steps:

  1. Click on this link to go to Code security & analysis section on your repo's settings
  2. Click "Enable" for "Private vulnerability reporting (Beta)"

However, if you'd rather not use this feature, you can also request users to report vulnerabilities to an email. If that's the case, let me know which email you would like to receive the reports and I can submit the change.

Additionally, feel free to edit or suggest any changes to this document, it is supposed to reflect the amount of effort the team can offer to handle vulnerabilities.

@keegancsmith keegancsmith requested a review from dcomas September 12, 2023 03:01
@willdollman willdollman self-assigned this Sep 25, 2023
@willdollman willdollman requested a review from evict September 25, 2023 10:51
evict
evict reviewed Sep 25, 2023
View reviewed changes
@willdollman @evict
Update SECURITY.md
943e53c 
Co-authored-by: Vincent <evict@users.noreply.github.com>
evict
evict reviewed Sep 25, 2023
View reviewed changes
SECURITY.md

If you have discovered a security vulnerability in this project, please report it privately. **Do not disclose it as a public issue.** This gives us time to work with you to evaluate and fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released.

Please disclose it privately via email to security@sourcegraph.com. We will work with you to understand and resolve the issue promptly.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@willdollman should we mention that we have a bug bounty program and will pay a bounty for serious issues?

@willdollman
Copy link
Contributor

Hi @diogoteles08 thanks for this PR! After discussion we're planning to use our primary security email for security reports.

@willdollman willdollman merged commit cd64a67 into sourcegraph:master Sep 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evict evict evict approved these changes

@dcomas dcomas Awaiting requested review from dcomas

Assignees

@willdollman willdollman

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Docs: Define a Security Policy
3 participants
@diogoteles08 @willdollman @evict