Adding a boilerplate security policy.#143
Adding a boilerplate security policy.#143schneidergithub wants to merge 2 commits intowebmachinelearning:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a repository SECURITY.md document intended to guide contributors on handling sensitive material and reporting security issues, aligning the repo with common GitHub expectations for a security policy file.
Changes:
- Introduces a new
SECURITY.mdwith guidance on handling secrets/sensitive data. - Adds guidance on evidence/audit integrity expectations.
- Adds a section describing how to report security issues.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
|
Ready for review / approval. I suggest one of the maintainers (tagging the first from microsoft & google for visibility & simplicity): @bwalderman & @bokand adds an email address or contact form for a proper security issue submission that is private, versus using public issues. |
anssiko
left a comment
anssiko
left a comment
There was a problem hiding this comment.
Thanks for the suggestion. There's no established SECURITY.md boilerplate for W3C repos currently. I'll put this to W3C Security Lead's desk.
@simoneonofri, can you suggest an appropriate SECURITY.md file considering https://w3c.github.io/security-disclosure/? My expectation is a link to that doc would be preferred over custom text to keep a canonical reference. When settled, I'd expect best practices and templates to be updated accordingly.
|
Thank you for the feedback Anssi. I would love to see a standard document & template to use for all my projects. A link to an official doc sounds like a great pragmatic solution. |
|
I apologize, I made another commit to my fork that is getting auto-added to this PR. The second commit is just a repo clean-up policy I personally use, where it dismisses stale / inactive issues that have no activity over a month. |
@anssiko thank you. Yes the security disclosure document you linked is the one we're working on. Something done before was this one https://github.com/w3c/securityig/blob/main/SECURITY.md as I am acting as the point of contact, but for tldr, we're also using the GitHub feature |
|
Would you like me to close this PR since you guys seem to be on top of it. Or I can take ownership of this and submit a new PR that just points to https://github.com/w3c/securityig/blob/main/SECURITY.md |
simoneonofri
left a comment
simoneonofri
left a comment
There was a problem hiding this comment.
I made some changes by adding the reference to the ED of the policy. PLMK
| If you identify a security weakness in repository content, proposed changes, or | ||
| automation: | ||
|
|
||
| - Do not publish sensitive exploit details in a public issue unless the repo | ||
| owner explicitly requests that workflow. | ||
| - Notify the designated repository owner, security contact, or maintainers | ||
| through the approved internal reporting path. | ||
| - Include enough detail to reproduce and assess the issue without attaching | ||
| secrets or sensitive data. | ||
| - If the issue affects documented controls or evidence expectations, update the | ||
| relevant documentation only after maintainers confirm the correct handling. |
There was a problem hiding this comment.
| If you identify a security weakness in repository content, proposed changes, or | |
| automation: | |
| - Do not publish sensitive exploit details in a public issue unless the repo | |
| owner explicitly requests that workflow. | |
| - Notify the designated repository owner, security contact, or maintainers | |
| through the approved internal reporting path. | |
| - Include enough detail to reproduce and assess the issue without attaching | |
| secrets or sensitive data. | |
| - If the issue affects documented controls or evidence expectations, update the | |
| relevant documentation only after maintainers confirm the correct handling. | |
| The World Wide Web Consortium (W3C) recognizes that there may be some security issues in W3C standards and specifications. W3C appreciates researchers' feedback on our work because it is critical to keeping the Web secure. If you have found a security issue in a W3C specification, your help is very important. | |
| If you believe that you have spotted a security bug in a specification, we invite you to follow the [Standards Vulnerability Disclosure & Handling Process and Policy](https://w3c.github.io/security-disclosure/) | |
| **It is important to note that reports of this type are about the standards themselves, not their implementations. It is possible, for example, to propose updates to Security Consideration Sections.** | |
| To report a security issue in W3C website, please refer to the [W3C security.txt file](https://w3.org/security.txt) | |
|
@schneidergithub thank you for rising the issue! |
This is a default security policy, which is expected in github repos. Feel free to update the content, I copied & pasted it from another repo of mine.