-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create SECURITY.md #7273
Create SECURITY.md #7273
Conversation
Signed-off-by: Joyce <joycebrum@google.com>
Hi, just pinging to know how is going this PR Review. Would I need to address any changes to this policy to be a better suit for rxjs? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general, I think this is a good idea. However, it seems like it should mention something about the license agreement, and the waiver of liability there in.
We, of course, want to fix any security issues as rapidly as possible. And a library like this is actually pretty unlikely to get security issues. But also as a volunteer, I don't really feel like being sued personally for damages that people feel were caused by not responding to security issue within a certain time period. Especially if there's a document that we approved that seems to be some sort of agreement on our part.
Signed-off-by: Joyce <joycebrum@google.com>
Hi @benlesh thanks for the return. I've rephrased the policy to not explicitly mention a deadline for public disclosure (instead asking reporters to align with you before disclosing anything about the security issue). Besides, I've added a paragraph to remind users about the Apache Liability aspect. Let me know if you think this would be better in the beginning of the doc. |
Signed-off-by: Joyce <joycebrum@google.com>
Thanks, @joycebrum .. I think this is good. I am only concerned at this point, because I'm not entirely sure I'll notice the security advisories, as I'm not conditioned to check them, nor do I know quite how they work. |
Closes #7265
I've created the SECURITY.md file considering the report vulnerability through security advisory, which is a new github feature.
If you're interested in the GitHub's feature, it must be activated for the repository:
If you rather not enable it there is also the possibility to receive the vulnerability report through an email, in this case just let me know which email it would be and I'll submit the change.
Besides that, feel free to edit or suggest any changes to this document, it is supposed to reflect the amount of effort the team can offer to handle vulnerabilities.