mirror
/
icalendar
kopia lustrzana https://github.com/collective/icalendar
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

correct process of disclosure

pull/755/head
Nicco Kunzmann 2024-12-23 13:21:19 +00:00
rodzic 0ec11d5351
commit 02f6426d3a
1 zmienionych plików z 7 dodań i 5 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

12
docs/security.rst
Wyświetl plik

@ -20,7 +20,7 @@ Security vulnerabilities are fixed only for the latest version of ``icalendar``.
- no
* - 4.*
- no
* - < 4.*
* - before 4.*
- no
@ -30,6 +30,8 @@ Reporting a Vulnerability
To report security issues of ``collective/icalendar``, use the ``Report a vulnerability`` button on the project's `Security Page <https://github.com/collective/icalendar/security>`_.
If you cannot do this, please contact one of the :ref:`maintainers` directly.
The maintainers of ``icalendar`` will then notify `Plone's security team <https://plone.org/security/report>`_.
If we determine that your report may be a security issue with the project, we may contact you for further information.
We volunteers ask that you delay public disclosure of your report for at least ninety (90) days from the date you report it to us.
This will allow sufficient time for us to process your report and coordinate disclosure with you.
@ -43,14 +45,14 @@ Once verified and fixed, the following steps will be taken:
GitHub notifies us of their decision.
- Assuming it is compliant, we then publish our Security Advisory on GitHub, which triggers the next steps.
- GitHub will publish the CVE to the CVE List.
- GitHub will broadcast our Security Advisory via the `GitHub Advisory Database <https://github.com/advisories`_.
- GitHub will broadcast our Security Advisory via the `GitHub Advisory Database <https://github.com/advisories>`_.
- GitHub will send `security alerts <https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies>`_ to all repositories that use our package (and have opted into security alerts).
This includes Dependabot alerts.
- We will make a bug-fix release.
- We will send an announcement through our usual channels:
- The GitHub release
- The GitHub discussions
- The `Plone Community Forum <https://community.plone.org/>`_
- The :ref:`Changelog`
- The GitHub releases of ``icalendar``
- If possible also `Plone's Security Announcements <https://plone.org/security/announcements>`_
- We will provide credit to the reporter or researcher in the vulnerability notice.