DOC,SEC: Security Disclosure Guidelines

[westurner]

re: maintainer guidelines and README_TEMPLATEs: It's a good idea to specifically mention what to do with security disclosures; and whether there is a bounty program. (And open source governance things like succession order and push privs/keys).

• Maintainer Guidelines: https://github.com/18F/open-source-program/blob/18f-pages/pages/maintainer_guidelines.md
• README_TEMPLATE: https://github.com/18F/open-source-policy/blob/master/README_TEMPLATE.md

From "SEC: Add security disclosure process to developers page" pandas-dev/pandas#8545 :

• https://en.wikipedia.org/wiki/Responsible_disclosure

Are there good examples of responsible disclosure guidelines?

[westurner]

Are there good examples of responsible disclosure guidelines?

• https://docs.djangoproject.com/en/dev/internals/security/#reporting-security-issues

[westurner]

FWIW, from https://github.com/securitytxt/security-txt :

---

Frequently asked questions

What is the main purpose of security.txt?

The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.

Is security.txt an RFC?

security.txt is currently an Internet draft that has been submitted for RFC review. This means that security.txt is still in the early stages of development. We welcome contributions from the public: https://github.com/securitytxt/security-txt

Where should I put the security.txt file?

For websites, the security.txt file should be placed under the /.well-known/ path (/.well-known/security.txt) [RFC8615]. It can also be placed in the root directory (/security.txt) of a website, especially if the /.well-known/ directory cannot be used for technical reasons, or simply as a fallback. The file can be placed in both locations of a website at the same time. For code repositories, the file should be placed in the root directory of the repository.

---

https://en.wikipedia.org/wiki/Responsible_disclosure

[westurner]

@mgwalker this issue was closed. IMHO, there is still a case for:

• DOC: add a heading and references to the Maintainer Guidelines; and
• DOC: add a paragraph to a CONTRIBUTING.md; and
  • https://github.com/audreyfeldroy/cookiecutter-pypackage/blob/master/%7B%7Bcookiecutter.project_slug%7D%7D/CONTRIBUTING.rst
• DOC: add a paragraph to README / README_TEMPLATE

[mgwalker]

Thanks @westurner! I agree with you about disclosure policies. However, this repo has been entirely unmaintained for quite a while, and I'm planning to archive it. For whatever reason, I don't have write access to this repo so I can't archive it yet, and then this issue got caught up in an automated stale issue closing script.

Thanks again for your contribution, and especially for carrying this particular torch for so long! I wish I could say I knew how best to take this forward. Perhaps @konklone has ideas.

[westurner]

NP. Is an updated resource for this now?

• https://code.gov
  https://github.com/GSA/code-gov/

• Add to Security Awareness curriculum
  https://en.wikipedia.org/wiki/Security_awareness

(... Also, SPDX is a good spec for code.gov to help push and pull: https://en.wikipedia.org/wiki/Software_Package_Data_Exchange )