From 1e01fa40ee38f49b6a462c4af2bc4e8b3e1fe358 Mon Sep 17 00:00:00 2001 From: Aaron Crawfis Date: Wed, 28 Apr 2021 08:38:17 -0700 Subject: [PATCH 1/2] Add info on reporting security issues --- .../content/en/concepts/security-concept.md | 3 +++ .../support/support-release-policy.md | 2 +- .../support/support-security-issues.md | 19 +++++++++++++++++++ .../operations/support/support-versioning.md | 2 +- 4 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 daprdocs/content/en/operations/support/support-security-issues.md diff --git a/daprdocs/content/en/concepts/security-concept.md b/daprdocs/content/en/concepts/security-concept.md index 4eef5676b..dcf83f5d6 100644 --- a/daprdocs/content/en/concepts/security-concept.md +++ b/daprdocs/content/en/concepts/security-concept.md @@ -145,3 +145,6 @@ The test focused on the following: The full report can be found [here](/docs/Dapr-july-2020-security-audit-report.pdf). +## Reporting a security issue + +Visit [this page]({{< ref support-security-issues.md >}}) to report a security issue to the Dapr maintainers. diff --git a/daprdocs/content/en/operations/support/support-release-policy.md b/daprdocs/content/en/operations/support/support-release-policy.md index 385f949fd..2ac539af9 100644 --- a/daprdocs/content/en/operations/support/support-release-policy.md +++ b/daprdocs/content/en/operations/support/support-release-policy.md @@ -2,7 +2,7 @@ type: docs title: "Supported releases" linkTitle: "Supported releases" -weight: 1000 +weight: 2000 description: "Release support and upgrade policies " --- diff --git a/daprdocs/content/en/operations/support/support-security-issues.md b/daprdocs/content/en/operations/support/support-security-issues.md new file mode 100644 index 000000000..e8571d114 --- /dev/null +++ b/daprdocs/content/en/operations/support/support-security-issues.md @@ -0,0 +1,19 @@ +--- +type: docs +title: "Reporting security issues" +linkTitle: "Reporting security issues " +weight: 3000 +description: "How to report a security concern or vulnerability to the Dapr maintainers." +--- + +The Dapr organization and team makes security a central focus of how we operate and design our software. From the Dapr binaries to the GitHub release processes, we take numerous steps to ensure user applications and data is secure. For more information visit the [security page]({{< ref security-concept.md >}}). + +## Reporting security issues + +To report a security issue there are two options: +1. Disclose privately to the [Dapr Maintainers (dapr@dapr.io)](mailto:dapr@dapr.io?subject=[Security%20Disclosure]:%20ISSUE%20TITLE) + - Use this option if you find an issue in Dapr that needs to be patched ASAP. + - The Dapr maintainers will triage, patch, and send an annoucement within 30 days. +1. Report publicly via [GitHub issue](https://github.com/dapr/dapr/issues/new/choose) + - Use this option if there is a Dapr dependency or software package that needs to be patched or investigated (*eg. CodeCov disclosed a breach of their GitHub Action in April 2021). + - The Dapr maintainers will triage, resolve, and update the GitHub issue ASAP. Announcements will be made on a case-by-case basis. \ No newline at end of file diff --git a/daprdocs/content/en/operations/support/support-versioning.md b/daprdocs/content/en/operations/support/support-versioning.md index 1cb895dcb..b6971713c 100644 --- a/daprdocs/content/en/operations/support/support-versioning.md +++ b/daprdocs/content/en/operations/support/support-versioning.md @@ -2,7 +2,7 @@ type: docs title: "Versioning policy" linkTitle: "Versioning " -weight: 2000 +weight: 1000 description: "Dapr's versioning policies" --- From 5d843699e21c056083e7a5c71016752dcb824a4b Mon Sep 17 00:00:00 2001 From: Aaron Crawfis Date: Wed, 28 Apr 2021 14:44:41 -0700 Subject: [PATCH 2/2] Simplify options --- .../en/operations/support/support-security-issues.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/daprdocs/content/en/operations/support/support-security-issues.md b/daprdocs/content/en/operations/support/support-security-issues.md index e8571d114..f11b1e756 100644 --- a/daprdocs/content/en/operations/support/support-security-issues.md +++ b/daprdocs/content/en/operations/support/support-security-issues.md @@ -10,10 +10,6 @@ The Dapr organization and team makes security a central focus of how we operate ## Reporting security issues -To report a security issue there are two options: -1. Disclose privately to the [Dapr Maintainers (dapr@dapr.io)](mailto:dapr@dapr.io?subject=[Security%20Disclosure]:%20ISSUE%20TITLE) - - Use this option if you find an issue in Dapr that needs to be patched ASAP. - - The Dapr maintainers will triage, patch, and send an annoucement within 30 days. -1. Report publicly via [GitHub issue](https://github.com/dapr/dapr/issues/new/choose) - - Use this option if there is a Dapr dependency or software package that needs to be patched or investigated (*eg. CodeCov disclosed a breach of their GitHub Action in April 2021). - - The Dapr maintainers will triage, resolve, and update the GitHub issue ASAP. Announcements will be made on a case-by-case basis. \ No newline at end of file +To report a security issue, please privately email the [Dapr Maintainers (dapr@dapr.io)](mailto:dapr@dapr.io?subject=[Security%20Disclosure]:%20ISSUE%20TITLE) + +The Dapr maintainers will triage and respond ASAP and then patch and send an annoucement within 30 days.