changed 9 months ago
Published Linked with GitHub

SPEC-11: Vulnerability disclosure


title: "SPEC 11 — Vulnerability disclosure
number: 11
date: 2024-06-04
author:


Description

This SPEC outlines the process for vulnerability disclosure. It aims to provide clear guidelines for the identification, reporting, and remediation of security vulnerabilities within projects.

Scope:

  • Securicy policy (What should include and template)

    • Prominently document how to report vulnerabilities
    • Contact information
  • Enable private vulnerability reporting via API (GitHub Security Advisories for GitHub, Confidential Issues for GitLab)

  • What to do when you get a vulnerability report?

    • Use resources like the Guide to coordinated vulnerability disclosure.
    • Explicitly disclose security issues affecting vendored dependencies.
    1. acknowledge
    2. request cve
    3. share cve
    4. release (add cve number in the release notes)
Select a repo