hlrs-software-stack/spack
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

security: change SECURITY.md to recommend GitHub's private reporting (#39651)

Browse source 
GitHub's beta private security issue reporting feature is enabled on the Spack repo now,
so we can change `SECURITY.md` to recommend using it instead of `maintainers@spack.io`.

- [x] Update `SECURITY.md` to direct people to the GitHub security tab.
- [x] Update working in `SECURITY.md` to say "last two major releases" with a link to
      the releases page, instead of explicitly listing release names. This way we don't have
      to update it (which we keep forgetting to do).
This commit is contained in:
Todd Gamblin 2023-08-28 11:06:17 -07:00 committed by GitHub
parent 0fd085be8e
commit 6dc167e43d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
SECURITY.md
View file

@ -2,24 +2,26 @@
## Supported Versions ## Supported Versions
We provide security updates for the following releases. We provide security updates for `develop` and for the last two
stable (`0.x`) release series of Spack. Security updates will be
made available as patch (`0.x.1`, `0.x.2`, etc.) releases.
For more on Spack's release structure, see For more on Spack's release structure, see
[`README.md`](https://github.com/spack/spack#releases). [`README.md`](https://github.com/spack/spack#releases).
| Version | Supported |
| ------- | ------------------ |
| develop | :white_check_mark: |
| 0.19.x | :white_check_mark: |
| 0.18.x | :white_check_mark: |
## Reporting a Vulnerability ## Reporting a Vulnerability
To report a vulnerability or other security You can report a vulnerability using GitHub's private reporting
issue, email maintainers@spack.io. feature:
You can expect to hear back within two days. 1. Go to [github.com/spack/spack/security](https://github.com/spack/spack/security).
If your security issue is accepted, we will do 2. Click "Report a vulnerability" in the upper right corner of that page.
our best to release a fix within a week. If 3. Fill out the form and submit your draft security advisory.
fixing the issue will take longer than this,
we will discuss timeline options with you. More details are available in
[GitHub's docs](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability).
You can expect to hear back about security issues within two days.
If your security issue is accepted, we will do our best to release
a fix within a week. If fixing the issue will take longer than
this, we will discuss timeline options with you.