-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Project Idea - OpenSSF Inbound Vulnerability Reporting Policy #128
Comments
|
An org-level security policy should indeed go in the org's |
Please change the document title. This is NOT a general-purpose security policy, this is a vulnerability disclosure policy. The title of the document should reflect that, so that people understand what they're going to be reading. |
Proposal "Inbound Vulnerability Disclosure Policy" - that is, add "inbound" to distinguish from "outbound". |
For clarification: a proposed outbound vulnerability disclosure policy is here: #122 |
Hi 👋 I think we have version 1.0 ready for the final review and approval, I share the doc in OpenSSF channels #wg-vulnerability-disclosures and #tac. Important checks before publishing the policy:
Next steps for v1.1
|
We have temporarily removed the Safe Habor section because the Linux Foundation Counsel advised that the text as written has serious problems. Before releasing anything by making legal claims, we need a review and formal approval by Linux Foundation Counsel. In the meantime, we have edited the doc as they recommended. cc @david-a-wheeler (thank you 🙌 ) |
@luigigubello - yes, security @ openssf.org exists. It's currently an alias to operations @ openssf.org, who can then redirect to the specific project. |
We need to find a solution to keep this language in the document somehow. Here are some example safe harbor policies we can pull from. If we come up with one that's international, we should work with the LF legal team to contribute it back here as well: |
Another example of Safer Harbor could be that of U.S. Department of Agriculture. It is quite generic to work for us - we need to adapt the text a bit - and it should be written in a (U.S.-oriented probably) legal language good for LF. |
Solid find and a good candidate! |
As per meeting May 1 Existing safe harbors in thread Additional Safe Harbors And here are the common elements i see
not in all but in many
Also disclose.io inccludes safe harbor in their VDP suggestions... any reason not to collab and suggest using theirs? https://disclose.io/docs/recipients/ |
@david-a-wheeler is there a current status or additional things to action on this? |
Idea: Publish an org-level security policy for OpenSSF repositories, projects, services, and infrastructure.
Proposal
Note. This draft policy is trying to meet the following requirements:
The text was updated successfully, but these errors were encountered: