From df155e3826bf1fa24c36ccb1c87e7fbb38e05ff5 Mon Sep 17 00:00:00 2001 From: Matt Farina Date: Tue, 20 Jun 2023 13:05:46 -0400 Subject: [PATCH] Update the security process docs (#3128) The incubation requirements state, "Clearly documented security processes explaining how to report security issues to the project, and describing how the project provides updated releases or patches to resolve security vulnerabilities" This change updates the process to add more detail Signed-off-by: Matt Farina --- SECURITY.md | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 901d0eb4..2e20ebc2 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -5,7 +5,17 @@ To report a security problem in Artifact Hub, please contact the Maintainers Team at . -The team will help diagnose the severity of the issue and determine how to -address the issue. Issues deemed to be non-critical will be filed as GitHub -issues. Critical issues will receive immediate attention and be fixed as quickly -as possible. +## Remediation and Notification Process + +The maintainers will evaluate the report to verify the security issue. If the +issue does not have a security impact, the report and follow-up will move to +GitHub issues. If a security issue exists, the maintainers use the following +process: + +1. Create a new draft advisory via GitHub Security Advisories +2. Request a CVE identification number +3. Collaborate on a private fork, part of the GitHub Security Advisory system, + to fix the issue. +4. Once a solution is ready, the CVE will be finalized and published, the change + will be merged, and there will be a new release of Artifact Hub including the + security fix.