mirror
/
wagtail
kopia lustrzana https://github.com/wagtail/wagtail
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

Add documentation for reporting security issues

pull/5969/head
Matt Westcott 2020-04-15 15:34:52 +01:00 zatwierdzone przez LB
rodzic d0a0c804c2
commit ef0c8f3446
5 zmienionych plików z 52 dodań i 0 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

1
CHANGELOG.txt
Wyświetl plik

@ -26,6 +26,7 @@ Changelog
* Site settings are now identifiable/cachable by request as well as site (Andy Babic)
* Added `select_related` attribute to site settings to enable more efficient fetching of foreign key values (Andy Babic)
* Add caching of image renditions (Tom Dyson, Tim Kamanin)
* Add documentation for reporting security issues (Matt Westcott)
* Fix: Added ARIA alert role to live search forms in the admin (Casper Timmers)
* Fix: Reorder login form elements to match expected tab order (Kjartan Sverrisson)
* Fix: Re-add 'Close Explorer' button on mobile viewports (Sævar Öfjörð Magnússon)

3
docs/contributing/index.rst
Wyświetl plik

@ -6,6 +6,8 @@ Issues
The easiest way to contribute to Wagtail is to tell us how to improve it! First, check to see if your bug or feature request has already been submitted at `github.com/wagtail/wagtail/issues <https://github.com/wagtail/wagtail/issues>`_. If it has, and you have some supporting information which may help us deal with it, comment on the existing issue. If not, please `create a new one <https://github.com/wagtail/wagtail/issues/new>`_, providing as much relevant context as possible. For example, if you're experiencing problems with installation, detail your environment and the steps you've already taken. If something isn't displaying correctly, tell us what browser you're using, and include a screenshot if possible.
If your bug report is a security issue, **do not** report it with an issue. Please read our guide to :doc:`reporting security issues <security>`.
.. toctree::
:maxdepth: 2
@ -63,4 +65,5 @@ More information
html_guidelines
css_guidelines
javascript_guidelines
security
release_process

45
docs/contributing/security.rst 100644
Wyświetl plik

@ -0,0 +1,45 @@
Reporting security issues
=========================
.. note::
Please report security issues **only** to `security@wagtail.io <mailto:security@wagtail.io>`_.
Most normal bugs in Wagtail are reported as `GitHub issues <https://github.com/wagtail/wagtail/issues>`_, but due to the sensitive nature of security issues, we ask that they not be publicly reported in this fashion.
Instead, if you believe youve found something in Wagtail which has security implications, please send a description of the issue via email to `security@wagtail.io <mailto:security@wagtail.io>`_. Mail sent to that address reaches a subset of the core team, who can forward security issues to other core team members for broader discussion if needed.
Once youve submitted an issue via email, you should receive an acknowledgment from a member of the security team within 48 hours, and depending on the action to be taken, you may receive further followup emails.
If you want to send an encrypted email (optional), the public key ID for security@wagtail.io is ``0x6ba1e1a86e0f8ce8``, and this public key is available from most commonly-used keyservers.
Django security issues should be reported directly to the Django Project, following `Django's security policies <https://docs.djangoproject.com/en/dev/internals/security/>`_ (upon which Wagtail's own policies are based).
Supported versions
------------------
At any given time, the Wagtail team provides official security support for several versions of Wagtail:
* The master development branch, hosted on GitHub, which will become the next release of Wagtail, receives security support.
* The two most recent Wagtail release series receive security support. For example, during the development cycle leading to the release of Wagtail 2.6, support will be provided for Wagtail 2.5 and Wagtail 2.4. Upon the release of Wagtail 2.6, Wagtail 2.4s security support will end.
* The latest Long-term support release will receive security updates.
When new releases are issued for security reasons, the accompanying notice will include a list of affected versions. This list is comprised solely of supported versions of Wagtail: older versions may also be affected, but we do not investigate to determine that, and will not issue patches or new releases for those versions.
How Wagtail discloses security issues
-------------------------------------
Our process for taking a security issue from private discussion to public disclosure involves multiple steps.
There is no fixed period of time by which a confirmed security issue will be resolved as this is dependent on the issue, however it will be a priority of the Wagtail team to issue a security release as soon as possible.
The reporter of the issue will receive notification of the date on which we plan to take the issue public.
On the day of disclosure, we will take the following steps:
1. Apply the relevant patch(es) to Wagtail's codebase. The commit messages for these patches will indicate that they are for security issues, but will not describe the issue in any detail; instead, they will warn of upcoming disclosure.
2. Issue the relevant release(s), by placing new packages on `the Python Package Index <https://pypi.org/project/wagtail/>`_, tagging the new release(s) in Wagtail's GitHub repository and updating Wagtail's :doc:`release notes <../releases/index>`.
3. Post a public entry on `Wagtail's blog <https://wagtail.io/blog/>`_, describing the issue and its resolution in detail, pointing to the relevant patches and new releases, and crediting the reporter of the issue (if the reporter wishes to be publicly identified).
4. Post a notice to the `Wagtail support forum <https://groups.google.com/d/forum/wagtail>`_ and Twitter feed (`@WagtailCMS <https://twitter.com/wagtailcms>`_) that links to the blog post.
If a reported issue is believed to be particularly time-sensitive – due to a known exploit in the wild, for example – the time between advance notification and public disclosure may be shortened considerably.

1
docs/releases/2.9.rst
Wyświetl plik

@ -39,6 +39,7 @@ Other features
* Site settings are now identifiable/cachable by request as well as site (Andy Babic)
* Added ``select_related`` attribute to site settings to enable more efficient fetching of foreign key values (Andy Babic)
* Add caching of image renditions (Tom Dyson, Tim Kamanin)
* Add documentation for reporting security issues (Matt Westcott)
Bug fixes

2
docs/support.rst
Wyświetl plik

@ -29,6 +29,8 @@ Issues
If you think you've found a bug in Wagtail, or you'd like to suggest a new feature, please check the current list at `github.com/wagtail/wagtail/issues <https://github.com/wagtail/wagtail/issues>`_. If your bug or suggestion isn't there, raise a new issue, providing as much relevant context as possible.
If your bug report is a security issue, **do not** report it with an issue. Please read our guide to :doc:`reporting security issues <../contributing/security>`.
Torchbox
~~~~~~~~