From 1417e298a38a424d0d0a918d5187def9e3dcdcb4 Mon Sep 17 00:00:00 2001 From: krishn-cpu Date: Fri, 11 Apr 2025 03:41:16 +0530 Subject: [PATCH] Add security documentation and templates --- .github/ISSUE_TEMPLATE/--security-report.md | 48 ++++++++++++ .github/security-advisory-template.md | 54 ++++++++++++++ SECURITY.md | 83 +++++++++++++++++++++ 3 files changed, 185 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/--security-report.md create mode 100644 .github/security-advisory-template.md create mode 100644 SECURITY.md diff --git a/.github/ISSUE_TEMPLATE/--security-report.md b/.github/ISSUE_TEMPLATE/--security-report.md new file mode 100644 index 0000000..1aca992 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/--security-report.md @@ -0,0 +1,48 @@ +--- +name: Security Report +about: Report a security vulnerability in AboutCode projects +title: '[SECURITY] ' +labels: security +assignees: '' + +--- + +**IMPORTANT: Do not publicly disclose security vulnerabilities. Instead, please email security@aboutcode.org with details.** + +**Affected Project(s)** +- [ ] ScanCode Toolkit +- [ ] ScanCode.io +- [ ] VulnerableCode +- [ ] AboutCode Toolkit +- [ ] Other (please specify) + +**Version(s) Affected** +Please specify the version(s) where you found the vulnerability. + +**Description** +A clear and concise description of the vulnerability. + +**Steps to Reproduce** +Steps to reproduce the behavior: +1. Go to '...' +2. Click on '....' +3. Scroll down to '....' +4. See error + +**Expected Behavior** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Additional Context** +Add any other context about the problem here. + +**Impact** +Please describe the potential impact of this vulnerability. + +**Proposed Fix** +If you have a proposed fix, please describe it here. + +**Contact Information** +Your email address (for follow-up questions): \ No newline at end of file diff --git a/.github/security-advisory-template.md b/.github/security-advisory-template.md new file mode 100644 index 0000000..53fe19e --- /dev/null +++ b/.github/security-advisory-template.md @@ -0,0 +1,54 @@ +# Security Advisory + +## Summary + +A security vulnerability has been identified in [Project Name] version [Version]. + +## Affected Versions + +- [Project Name] versions [Version Range] + +## Description + +[Detailed description of the vulnerability] + +## Impact + +[Description of the potential impact] + +## CVE ID + +[CVE ID if assigned] + +## Solution + +Update to version [Fixed Version] or apply the following patch: + +```diff +[Patch details if applicable] +``` + +## Workarounds + +[Any available workarounds] + +## Credits + +We would like to thank [Researcher Name/Organization] for reporting this vulnerability. + +## Timeline + +- [Date]: Vulnerability reported +- [Date]: Vulnerability confirmed +- [Date]: Fix developed +- [Date]: Fix tested +- [Date]: Advisory published + +## References + +- [Link to commit/PR with fix] +- [Other relevant references] + +## Contact + +For any questions regarding this advisory, please contact security@aboutcode.org \ No newline at end of file diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..7e7d57c --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,83 @@ +# Security Policy + +## Supported Versions + +We provide security updates for the following versions of our projects: + +| Project | Version | Supported | +| ------- | ------- | ------------------ | +| ScanCode Toolkit | >= 32.0.0 | :white_check_mark: | +| ScanCode.io | >= 32.0.0 | :white_check_mark: | +| VulnerableCode | >= 32.0.0 | :white_check_mark: | +| AboutCode Toolkit | >= 32.0.0 | :white_check_mark: | + +## Reporting a Vulnerability + +**IMPORTANT: Do not publicly disclose security vulnerabilities. Instead, please email security@aboutcode.org with details.** + +We take the security of our software seriously. If you believe you've found a security vulnerability, please follow these steps: + +1. Email your findings to security@aboutcode.org +2. Include as much information as possible about the vulnerability +3. Do not disclose the vulnerability publicly until it has been addressed +4. We will acknowledge receipt of your vulnerability report within 48 hours +5. We will provide a more detailed response within 7 days indicating the next steps + +## Security Process + +1. **Initial Response**: We will acknowledge receipt of your report within 48 hours +2. **Verification**: Our security team will verify the vulnerability +3. **Fix Development**: We will develop a fix for the vulnerability +4. **Testing**: The fix will be thoroughly tested +5. **Release**: A new version will be released with the fix +6. **Disclosure**: We will coordinate public disclosure with you + +## Security Updates + +Security updates are released as new versions of our software. We recommend always using the latest version of our tools. + +## Security Team + +Our security team consists of core maintainers and security experts who review and address security reports. + +## Acknowledgments + +We appreciate the efforts of security researchers who help us keep our software secure. We will acknowledge your contribution in our security advisories unless you request otherwise. + +## Security Practices + +### Code Security + +- All code changes are reviewed by at least one maintainer +- We use automated security scanning tools in our CI/CD pipeline +- Dependencies are regularly audited and updated +- We follow secure coding practices and guidelines + +### Data Security + +- We do not store sensitive user data +- All data processing is done locally unless explicitly configured otherwise +- API keys and credentials are never stored in the codebase +- We use environment variables for sensitive configuration + +### Infrastructure Security + +- Regular security updates are applied to our infrastructure +- Access to production systems is restricted and monitored +- We use secure communication protocols (HTTPS, SSH) +- Regular security audits are performed + +## Responsible Disclosure + +We believe in responsible disclosure and will work with security researchers to address vulnerabilities in a timely manner. We will not take legal action against security researchers who report vulnerabilities according to this policy. + +## Security Contacts + +- Primary: security@aboutcode.org +- Backup: pombredanne@gmail.com + +## Additional Resources + +- [GitHub Security Advisory Database](https://github.com/advisories) +- [OpenSSF Security Scorecard](https://securityscorecards.dev) +- [Package Repository Security Principles](https://repos.openssf.org/principles-for-package-repository-security) \ No newline at end of file