SECURITY: Describe that declassification is an option #19149
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
chrysn
added
Type: enhancement
maribu
approved these changes
Jan 15, 2023
benpicco
approved these changes
Jan 15, 2023
aabadie
reviewed
Jan 15, 2023
SECURITY.md
Outdated
| Unless the reporter explicitly requests not to do so, | ||
| the RIOT security maintainers may declassify an issue | ||
| if the issue is not deemed critical -- | ||
| for example when it requireres an unlikely combination of circumstances and/or configuration options, |
There was a problem hiding this comment.
There's a typo ;)
Suggested change
| for example when it requireres an unlikely combination of circumstances and/or configuration options, | |
| for example when it requires an unlikely combination of circumstances and/or configuration options, |
chrysn
force-pushed
the
security-declassify
branch
from
7aa7e0b to
48f0ae2
Compare
|
bors merge |
|
Build succeeded: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Contribution description
Our security policy does not contain provisions for the case when what is reported is not what we consider an actual security issue. As it is described now, everything reported through security@ would go through the full treatment, including a point release.
I'm not sure it belongs into the text itself (as it's more about how security reporters interact with the project than internals), but declassification should IMO be backed at least by 3 maintainers, and no strong NACK.
Issues/PRs references
#19141 followed that procedure after some chat on it on the maintainers channel. (In the discussion, I proposed declassification, with 2.5 people supporting it and one "I was about to, but can we be sure nobody is using it?" voice).