-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: add a security policy document #504
Merged
tonyandrewmeyer
merged 1 commit into
canonical:master
from
tonyandrewmeyer:add-security-md
Sep 25, 2024
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
# Security policy | ||
|
||
## Supported versions | ||
|
||
Security updates will be released for all major versions that have had releases in the last year, | ||
and for all versions of Pebble that are bundled with [Juju](https://github.com/juju/juju) | ||
releases that [receive security updates](https://juju.is/docs/juju/roadmap). | ||
|
||
## Reporting a vulnerability | ||
|
||
Please provide a description of the issue, the steps you took to | ||
create the issue, affected versions, and, if known, mitigations for | ||
the issue. | ||
|
||
The easiest way to report a security issue is through | ||
[GitHub's security advisory for this project](https://github.com/canonical/pebble/security/advisories/new). See | ||
[Privately reporting a security | ||
vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability) | ||
for instructions on reporting using GitHub's security advisory feature. | ||
|
||
The Pebble GitHub admins will be notified of the issue and will work with you | ||
to determine whether the issue qualifies as a security issue and, if so, in | ||
which component. We will then figure out a fix, get a CVE | ||
assigned, and coordinate the release of the fix. | ||
|
||
You may also send email to [email protected]. Email may optionally be | ||
encrypted to OpenPGP key | ||
[`4072 60F7 616E CE4D 9D12 4627 98E9 740D C345 39E0`](https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x407260f7616ece4d9d12462798e9740dc34539e0) | ||
|
||
If you have a deadline for public disclosure, please let us know. | ||
Our vulnerability management team intends to respond within 3 working | ||
days of your report. This project aims to resolve all vulnerabilities | ||
within 90 days. | ||
|
||
The [Ubuntu Security disclosure and embargo | ||
policy](https://ubuntu.com/security/disclosure-policy) contains more | ||
information about what you can expect when you contact us, and what we | ||
expect from you. |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to clarify "all major versions" -- given we only have 1.x.y, I guess this means just one security update?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, plus the ones that Juju needs. The "only for majors" is where we currently landed for ops, so I re-used that here.
We could have a table here listing versions like some projects do, but that seems a pain to maintain. LXD has rules for monthly and LTS releases - we could copy that but have Juju instead of LTS?
(The "what qualifies" section in the LXD one I think would be good here too, but probably after the current modelling work is done).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think what you have now is fine -- I just wanted to clarify the intent. Could add a little parenthetical to clarify for others like "(1.x versions)" if you want.