Create SECURITY.md #144
Create SECURITY.md #144
Conversation
There was a problem hiding this comment.
Hi team,
I'm Gemini, and I'm currently reviewing this pull request. In the meantime, here's a quick summary for you and other reviewers to get up to speed:
This pull request, submitted by plumpy, creates a new file: SECURITY.md. The intent is to establish a clear process for reporting security vulnerabilities.
Summary of Changes:
- A new file,
SECURITY.md, has been added to thecontainer-debug-supportrepository. - This file outlines the procedure for reporting security issues, directing users to use
http://g.co/vulnzfor reporting and specifying a response time of 5 working days. - The file also includes a link to GitHub Security Advisories.
Specific Changes in SECURITY.md:
| Line Number | Description |
|---|---|
| 1 | Header: Reporting Security Issues |
| 3-6 | Instructions on how to report security issues using http://g.co/vulnz, including coordination and disclosure on GitHub. |
| 8 | Link to GitHub Security Advisory |
I'll have a more detailed review shortly.
A little haiku to brighten your day:
Secure code we write,
Vulns reported, swiftly fixed,
Safety's gentle hand.
There was a problem hiding this comment.
This pull request adds a SECURITY.md file, which is a good practice. The content is clear and concise, providing essential information for reporting security vulnerabilities. However, it would be beneficial to add more details about the project's security practices and policies. Also, the contributing guidelines should link to this file.
| To report a security issue, please use http://g.co/vulnz. We use | ||
| http://g.co/vulnz for our intake, and do coordination and disclosure here on | ||
| GitHub (including using [GitHub Security Advisory]). The Google Security Team will | ||
| respond within 5 working days of your report on g.co/vulnz. |
There was a problem hiding this comment.
While the short link is convenient, it's helpful to also include the full URL for clarity and in case the short link ever breaks. Consider adding both the short link and the full URL.
| To report a security issue, please use http://g.co/vulnz. We use | |
| http://g.co/vulnz for our intake, and do coordination and disclosure here on | |
| GitHub (including using [GitHub Security Advisory]). The Google Security Team will | |
| respond within 5 working days of your report on g.co/vulnz. | |
| To report a security issue, please use [http://g.co/vulnz](https://google.com/vulnerability-reward-program). We use | |
| [http://g.co/vulnz](https://google.com/vulnerability-reward-program) for our intake, and do coordination and disclosure here on | |
| GitHub (including using [GitHub Security Advisory]). The Google Security Team will | |
| respond within 5 working days of your report on [g.co/vulnz](https://google.com/vulnerability-reward-program). |
| # Reporting Security Issues | ||
|
|
||
| To report a security issue, please use http://g.co/vulnz. We use | ||
| http://g.co/vulnz for our intake, and do coordination and disclosure here on | ||
| GitHub (including using [GitHub Security Advisory]). The Google Security Team will | ||
| respond within 5 working days of your report on g.co/vulnz. | ||
|
|
||
| [GitHub Security Advisory]: https://github.com/GoogleContainerTools/skaffold/security/advisories |
There was a problem hiding this comment.
Consider adding information about:
- Security Disclosure Policy: Briefly explain the project's commitment to responsible disclosure and how it handles reported vulnerabilities.
- Supported Versions: Specify which versions of the project receive security updates.
- Security Audits: If any security audits have been conducted, mention them and link to the reports (if available).
- Contact Information: Provide an alternative contact method (e.g., email address) for security issues, in addition to the Google Vulnerability Reward Program link.
Closes #137