Revise security issue reporting guidelines in dependencies#63
Conversation
Updated the reporting guidelines for security issues in dependencies to clarify the process for public and private reporting.
raboof
left a comment
There was a problem hiding this comment.
generally great improvement, the 'if you have confirmed' paragraph might benefit from some further tweaking
| If your organization has a mature software engineering culture, and you cannot find existing information on whether the project is affected by the issue in the advisory, it may be up to you to participate in its handling. | ||
|
|
||
| Contributions upgrading the dependency to a version that is not affected by the problem are generally welcomed, though will not typically expedite the release schedule. | ||
| If you cannot find existing information on whether the project is affected by the issue in the advisory, it may be up to you, as a part of the project community, to participate in its handling. Ensure you provide detailed information when starting a discussion - review how the project uses the dependency and have your opinion on the priority to upgrade, or even remove, the dependency. Contributions upgrading the dependency to a version that is not affected by the problem are generally welcomed, though will not typically expedite the release schedule. |
| If you cannot find existing information on whether the project is affected by the issue in the advisory, it may be up to you, as a part of the project community, to participate in its handling. Ensure you provide detailed information when starting a discussion - review how the project uses the dependency and have your opinion on the priority to upgrade, or even remove, the dependency. Contributions upgrading the dependency to a version that is not affected by the problem are generally welcomed, though will not typically expedite the release schedule. | ||
|
|
||
| If your analysis confirms the issue described in the advisory does impact this project, please share that information with us with the appropriate level of detail though the private channels described [here](https://security.apache.org/report-code). | ||
| If your analysis identifies a broader issue related to the dependencies advisory, please share that information with us with the appropriate level of detail through the private channels described [here](https://security.apache.org/report-code). |
There was a problem hiding this comment.
"confirms the issue described in the advisory does impact this project" may not have been super clear, but I don't really think "identifies a broader issue related to the dependencies advisory" is clearer.
Maybe: "If your analysis confirms the project is using the dependency in a way that is in fact impacted by the behavior described in the advisory" ? Still not super happy.
There was a problem hiding this comment.
I'm looking to change the meaning. The original text felt like "Yes, this project depends on X -> contact security". Whereas I think it should only contact security when there is a larger issue, like this vulnerability identifies a larger vulnerability in the project that increases the risk.
There was a problem hiding this comment.
Changed to:
"To influence release schedules, please provide a proof-of-concept report that the advisory affects the Apache Software Foundation project in question (not the dependency) through the private channels described here. If your analysis identifies other or related issues affecting the project, report these through the private channels."
| If your analysis identifies a broader issue related to the dependencies advisory, please share that information with us with the appropriate level of detail through the private channels described [here](https://security.apache.org/report-code). | ||
|
|
||
| If you have verified the issue does not impact the project, it would be appreciated to share this analysis through the project's public channels, so others can review this work and make their own risk assessment. | ||
| If you have verified the issue does not impact the project, it is an appreciated contribution if you can share this analysis through the project's public channels, so others can review this work and make their own risk assessment. |
|
|
||
| Contributions upgrading the dependency to a version that is not affected by the problem are generally welcomed, though will not typically expedite the release schedule. | ||
| If you cannot find existing information on whether the project is affected by the issue in the advisory, it may be up to you, as a part of the project community, to participate in its handling. Ensure you provide detailed information when starting a discussion - review how the project uses the dependency and have your opinion on the priority to upgrade, or even remove, the dependency. Contributions upgrading the dependency to a version that is not affected by the problem are generally welcomed, though will not typically expedite the release schedule. | ||
|
|
There was a problem hiding this comment.
| Only when you have a POC how the 3rd-party affects security of tha Apache Software Foundation project, report the POC and explanation about the security issue privately to the project. | |
There was a problem hiding this comment.
Changed the next sentence to:
"To influence release schedules, please provide a proof-of-concept report that the advisory affects the Apache Software Foundation project in question (not the dependency) through the private channels described here. If your analysis identifies other or related issues affecting the project, report these through the private channels."
raboof
left a comment
There was a problem hiding this comment.
one small remaining comment, otherwise LGTM
| If you cannot find existing information on whether the project is affected by the issue in the advisory, it may be up to you, as a part of the project community, to participate in its handling. Ensure you provide detailed information when starting a discussion - review how the project uses the dependency and have your opinion on the priority to upgrade, or even remove, the dependency. Contributions upgrading the dependency to a version that is not affected by the problem are generally welcomed, though will not typically expedite the release schedule. | ||
|
|
||
| If your analysis confirms the issue described in the advisory does impact this project, please share that information with us with the appropriate level of detail though the private channels described [here](https://security.apache.org/report-code). | ||
| To influence release schedules, please provide a proof-of-concept report that the advisory affects the Apache Software Foundation project in question (not the dependency) through the private channels described [here](https://security.apache.org/report-code). If your analysis identifies other or related issues affecting the project, report these through the private channels. |
There was a problem hiding this comment.
Sorry to contradict other review comments here, but I think requiring a proof-of-concept might be too heavy. I think I would prefer:
| To influence release schedules, please provide a proof-of-concept report that the advisory affects the Apache Software Foundation project in question (not the dependency) through the private channels described [here](https://security.apache.org/report-code). If your analysis identifies other or related issues affecting the project, report these through the private channels. | |
| If you want us to treat your report as a vulnerability in our code, please provide a convincing analysis that the advisory affects the Apache Software Foundation project in question (not just the dependency) through the private channels described [here](https://security.apache.org/report-code). If your analysis identifies other or related issues affecting the project, report these through the private channels. |
Updated the reporting guidelines for security issues in dependencies to clarify the process for public and private reporting.