From a0f8bd4f6aaad86430e05e2b048cfeef3e5104b1 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Tue, 5 Dec 2023 07:40:35 +0100 Subject: [PATCH 1/3] docs: add SECURITY.md --- SECURITY.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..82004f92 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,17 @@ +# Security Policy + +## Supported Versions + +The [latest](https://github.com/philips-software/amp-devcontainer/releases/latest) version of +amp-devcontainer is supported with security updates. +The amp-devcontainer image is scanned for security vulnerabilities and the results are published on the +[code scanning](https://github.com/philips-software/amp-devcontainer/security/code-scanning) page. + +## Reporting a Vulnerability + +Vulnerabilities can be reported using GitHub's [private vulnerability reporting](https://github.com/philips-software/amp-devcontainer/security/advisories/new). +A member of the amp-devcontainer team will triage the reported vulnerability within a maximum of two business days. +If the vulnerability is accepted a [security advisory](https://github.com/philips-software/amp-devcontainer/security) will be published +and all further communication will be done via that security advisory. +Whenever an upstream fix is available the vulnerable package will be updated and a new release will be published +no later than five business days after a fix for the vulnerability has become available. From 1874ed765f3d1ef27a557e5c904b3b09eab479c3 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Tue, 5 Dec 2023 11:40:32 +0100 Subject: [PATCH 2/3] chore: fix linter findings --- README.md | 7 ++++++- SECURITY.md | 10 +++++----- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 60a36e19..8963ff1f 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ This repository contains a [devcontainer](https://docs.github.com/en/codespaces/ ## State -This repository is under active development; see [pulse](https://github.com/philips-software/amp-devcontainer/pulse) for more details; +This repository is under active development; see [pulse](https://github.com/philips-software/amp-devcontainer/pulse) for more details. ## Description @@ -60,6 +60,11 @@ See [CHANGELOG](./CHANGELOG.md) for more info on what's been changed. See [CONTRIBUTING](./CONTRIBUTING.md) +## Reporting vulnerabilities + +If you find a vulnerability, please report it to us! +See [SECURITY.md](./SECURITY.md) for more information. + ## Licenses See [LICENSE](./LICENSE) diff --git a/SECURITY.md b/SECURITY.md index 82004f92..dc1ad369 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -9,9 +9,9 @@ The amp-devcontainer image is scanned for security vulnerabilities and the resul ## Reporting a Vulnerability -Vulnerabilities can be reported using GitHub's [private vulnerability reporting](https://github.com/philips-software/amp-devcontainer/security/advisories/new). +If you find a significant vulnerability, or evidence of one, please report it privately. + +Vulnerabilities should be reported using [GitHub's mechanism for privately reporting a vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). Under the +[main repository's security tab](https://github.com/philips-software/amp-devcontainer/security), click "Report a vulnerability" to open the advisory form. A member of the amp-devcontainer team will triage the reported vulnerability within a maximum of two business days. -If the vulnerability is accepted a [security advisory](https://github.com/philips-software/amp-devcontainer/security) will be published -and all further communication will be done via that security advisory. -Whenever an upstream fix is available the vulnerable package will be updated and a new release will be published -no later than five business days after a fix for the vulnerability has become available. +If the vulnerability is accepted a security advisory will be published and all further communication will be done via that security advisory. From 55cdf3d10b4149b508cf42d5ac3f1a86578d30d5 Mon Sep 17 00:00:00 2001 From: Ron <45816308+rjaegers@users.noreply.github.com> Date: Tue, 5 Dec 2023 11:46:41 +0100 Subject: [PATCH 3/3] ci: fix more linter findings --- SECURITY.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index dc1ad369..89c4676c 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,8 +4,6 @@ The [latest](https://github.com/philips-software/amp-devcontainer/releases/latest) version of amp-devcontainer is supported with security updates. -The amp-devcontainer image is scanned for security vulnerabilities and the results are published on the -[code scanning](https://github.com/philips-software/amp-devcontainer/security/code-scanning) page. ## Reporting a Vulnerability @@ -13,5 +11,5 @@ If you find a significant vulnerability, or evidence of one, please report it pr Vulnerabilities should be reported using [GitHub's mechanism for privately reporting a vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). Under the [main repository's security tab](https://github.com/philips-software/amp-devcontainer/security), click "Report a vulnerability" to open the advisory form. -A member of the amp-devcontainer team will triage the reported vulnerability within a maximum of two business days. -If the vulnerability is accepted a security advisory will be published and all further communication will be done via that security advisory. + +A member of the amp-devcontainer team will triage the reported vulnerability and if the vulnerability is accepted a security advisory will be published and all further communication will be done via that security advisory.