Conversation
Add instructions for reporting security vulnerabilities
| ## Contacting the OpenELA TSC | ||
|
|
||
| The TSC can be contacted via the email address: [tsc@openela.org](mailto:tsc@openela.org) | ||
| The TSC can be contacted via the email address: [tsc@openela.org](mailto:tsc@openela.org) |
There was a problem hiding this comment.
Nit: missing dot at the end of the line
There was a problem hiding this comment.
i'll respin this PR without modifying that line
| Please report security issues to the Technical Steering Committee. | ||
| https://github.com/openela/governance/tree/main/TSC#contacting-the-openela-tsc | ||
|
|
||
| We encourage the use of GPG encrypted email. |
There was a problem hiding this comment.
Fine. I wonder if we could simply use the GitHub builtin vulnerability reporting instead? Would allow collaboration on issues.
There was a problem hiding this comment.
That would probably work assuming the TSC gets notified. The one complication is that we'd be directing folks to use a specific repository (the issues repository, which doesn't exist yet) rather than allowing issues everywhere in openela-main, and that would prevent the private-issues-reporting tool from creating forks (since it'd be a different repository).
dirkmueller
left a comment
dirkmueller
left a comment
There was a problem hiding this comment.
Git hub renders the security file if it's all uppercase in the name, so 'SECURITY.md`. would you please rename it that way?
|
I'm going to hold off on this for now. Dirk is right that native github vulnerability handling is better than emailing the TSC, however those issues should go into the not-yet-created catchall project we're going to have for filing and responding to issues, so we can pick this back up once that repository is available. |
2 participants
No description provided.