Skip to content

touch-up security policy #48280

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
thaJeztah merged 1 commit into from
Aug 2, 2024
Merged

touch-up security policy #48280

thaJeztah merged 1 commit into from
Aug 2, 2024

Conversation

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Jul 31, 2024

I noticed the OpenSSF scorecard (https://securityscorecards.dev/viewer/?uri=github.com/docker/docker) ranked a 9 out of 10 for the policy, as it had some warnings:

Info: security policy file detected: SECURITY.md:1
Info: Found linked content: SECURITY.md:1
Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy
Info: Found text in security policy: SECURITY.md:1

This PR slightly touch-up the security policy in this repository to describe the process in more details.

  • Describe process around reporting, triage, and review.
  • Describe timelines for acknowledging reports.
  • Refer to supported versions / branches.

Some of this wording was adopted from containerd's policy (https://github.com/containerd/project/blob/main/SECURITY.md), adjusting where needed (e.g. the project currently does not have an embargoed security announce list, and no formal definition of security advisors).

@thaJeztah
Copy link
Member Author

thaJeztah commented Jul 31, 2024

cc @IanColdwater @rachel-taylor-docker (fyi)

There's probably more touching up possible (one step at a time); we have copies of this file in other repositories, so if we are ok with this version, I can update those in a follow-up.

@thaJeztah thaJeztah force-pushed the touchup_security branch 2 times, most recently from d61c32e to 58c8c4c Compare July 31, 2024 22:05
thaJeztah
thaJeztah commented Aug 1, 2024
View reviewed changes
@thaJeztah thaJeztah added this to the 28.0.0 milestone Aug 1, 2024
@thaJeztah
Copy link
Member Author

thaJeztah commented Aug 1, 2024

Waiting for some minor changes, we can merge after.

@thaJeztah
touch-up security policy
dfe36fa 
Slightly touch-up the security policy in this repository to describe
the process in more details.

- Describe process around reporting, triage, and review.
- Describe timelines for acknowledging reports.
- Refer to supported versions / branches.

Some of this wording was adopted from containerd's policy, adjusting
where needed (e.g. the project currently does not have an embargoed
security announce list, and no formal definition of security advisors).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah merged commit 27b322e into moby:master Aug 2, 2024
@thaJeztah thaJeztah deleted the touchup_security branch August 2, 2024 16:44
@thaJeztah thaJeztah mentioned this pull request Aug 5, 2024
Merged
This was referenced Oct 8, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@corhere corhere corhere approved these changes

@vvoland vvoland vvoland approved these changes

@laurazard laurazard laurazard approved these changes

Assignees

No one assigned

Labels

area/docs area/project area/security status/3-docs-review

Projects

None yet

Milestone

28.0.0

Development

Successfully merging this pull request may close these issues.

4 participants

@thaJeztah @corhere @vvoland @laurazard