Skip to content

Comments

document ongoing security and practices #3215#9241

Merged
kcondon merged 1 commit intodevelopfrom
3215-security
Jan 3, 2023
Merged

document ongoing security and practices #3215#9241
kcondon merged 1 commit intodevelopfrom
3215-security

Conversation

@pdurbin
Copy link
Member

@pdurbin pdurbin commented Dec 20, 2022
edited
Loading

What this PR does / why we need it:

  • We need to explain to the community how to receive security notices.
  • A permalink for "how to report security vulnerabilities" is a good thing.
  • It's nice to have have links handy to resources (lists of emails, previous examples, etc.) when sending security notices.

Which issue(s) this PR closes:

Special notes for your reviewer:

Here's a good entry point: https://dataverse-guide--9241.org.readthedocs.build/en/9241/installation/config.html#ongoing-security

Note that I added SECURITY.md: https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository

It's expected that the links in that SECURITY.md file won't work until we make a release (when the new content is in place under "latest").

Suggestions on how to test this:

Sanity check on the content. Please see entry point above.

Does this PR introduce a user interface change? If mockups are available, please link/include them here:

No.

Is there a release notes update needed for this change?:

No. I'm happy to add one.

Additional documentation:

This PR is only documentation.

@pdurbin pdurbin mentioned this pull request Dec 20, 2022
Closed
@ysuarez
Copy link
Contributor

ysuarez commented Dec 21, 2022

I spoke to @pdurbin about adding a SECURITY.md, and I wanted to mention that when a github repo uses this file properly it will add a new choice to the github issue type choices.

The current Dataverse issue template looks like this...

image

One this PR is merged with the SECURITY.md file, you will see a new / 3rd choice to the issue type list that says...

"...
Report a security vulnerability
Please review our security policy for more details.
View Policy
..."

image

Which I have found very useful to prevent someone from accidentally creating a security issue in a very public way.

Here is how I used a SECURITY.md file to improve the opensource Islandora software's github issue type choices...
https://github.com/Islandora/documentation/issues/new/choose

pdurbin added a commit to IQSS/dataverse-installations that referenced this pull request Jan 3, 2023
@pdurbin
don't suggest that contact email won't be displayed
82fa33a 
The email is public in a couple places...

- https://iqss.github.io/dataverse-installations/data/data.json
- spreadsheet: https://docs.google.com/spreadsheets/d/1bfsw7gnHlHerLXuk7YprUT68liHfcaMxs1rFciA-mEo/edit?usp=sharing

... and while it's true that it's not currently displayed on the map, we might someday and I don't want to give the impression that we never will. It's public data.

On a related note, we mention the contact email and spreadsheet here:

- IQSS/dataverse#9241
@pdurbin pdurbin mentioned this pull request Jan 3, 2023
Merged
@kcondon kcondon self-assigned this Jan 3, 2023
@kcondon kcondon merged commit 12d9ff5 into develop Jan 3, 2023
@kcondon kcondon deleted the 3215-security branch January 3, 2023 20:12
@pdurbin pdurbin added this to the 5.13 milestone Jan 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@donsizemore donsizemore donsizemore approved these changes

Assignees

@kcondon kcondon

Labels

None yet

Projects

None yet

Milestone

5.13

Development

Successfully merging this pull request may close these issues.

"Securing Your Installation" section of Installation Guide could cover ongoing security, advisories, private discussion

4 participants

@pdurbin @ysuarez @donsizemore @kcondon