Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a SECURITY.md #20

Merged
merged 1 commit into from
Aug 4, 2023
Merged

Add a SECURITY.md #20

merged 1 commit into from
Aug 4, 2023

Conversation

ReinderVosDeWael
Copy link
Contributor

This PR adds a security policy which informs users on how to inform us of security vulnerabilities in our applications. For an example usage, see the side bar of https://github.com/cmi-dair/cross-species-mapper/ .

Instructions have been added to the README.md to either modify SECURITY.md, or delete it if it's not relevant.

@github-actions
Copy link

Coverage

Coverage Report
FileStmtsMissCover
TOTAL100100%

Tests Skipped Failures Errors Time
4 0 💤 0 ❌ 0 🔥 0.077s ⏱️

@codecov
Copy link

codecov bot commented Jul 26, 2023

Codecov Report

Patch and project coverage have no change.

Comparison is base (402d621) 100.00% compared to head (c93fc6a) 100.00%.

Additional details and impacted files 
@@            Coverage Diff            @@
##              main       #20   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            1         1           
  Lines           10        10           
=========================================
  Hits            10        10

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@clane9
Copy link
Contributor

clane9 commented Aug 3, 2023

Personally I'm a bit opposed to worrying about security. I know this is not the "right way", but I feel like it's often not a necessity for the sort of stuff we're building (cf pybids and nilearn do not have a SECURITY.md). And maintaining a responsible security policy seems hard. My 2c would be to not put this in the template, but add it to projects that require it.

@ReinderVosDeWael
Copy link
Contributor Author

@gkiar tie breaker on these opposing reviews? :)

@ReinderVosDeWael
Copy link
Contributor Author

ReinderVosDeWael commented Aug 3, 2023
edited
Loading

It'd only not be a necessity if there's no vulnerabilities, which means there's no work to do anyway :). Security should always be a concern; it takes but a single significant data leak that makes it into the media to drag CMI's reputation into the gutter.

@gkiar
Copy link
Contributor

gkiar commented Aug 4, 2023

Afaict, the policy is just:

  • we care about security
  • tell us privately so we can address

I see no harm in including that in templates? As @clane9 rightly points out: most of the time this is irrelevant for what we do, and, as @ReinderVosDeWael says, when it is relevant, it's important and we want to cover our bases.

@gkiar gkiar self-requested a review August 4, 2023 18:09
@ReinderVosDeWael ReinderVosDeWael merged commit a2ec5b9 into main Aug 4, 2023
6 checks passed
@ReinderVosDeWael ReinderVosDeWael deleted the feature/securitymd branch August 4, 2023 18:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gkiar gkiar gkiar approved these changes

@nx10 nx10 nx10 approved these changes

@clane9 clane9 Awaiting requested review from clane9

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ReinderVosDeWael @clane9 @gkiar @nx10