Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit ccc7b5b

Browse files
[Docs] Add a SECURITY.md file documenting the security process. (#1)
[Docs] Add a SECURITY.md file documenting the security process. ### Motivation In order to allow developers to report suspected security issues confidentially, we need a documented process for reporting issues affecting security. ### Modifications Added a SECURITY.md inspired by the SwiftNIO one. ### Result Developers can now follow the process when a suspected security issue is found. ### Test Plan N/A Reviewed by: simonjbeaumont #1 
1 parent db38b1b commit ccc7b5b

File tree

2 files changed

+44
-0
lines changed

2 files changed

+44
-0
lines changed

‎SECURITY.md

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
# Security
2+
3+
This document specifies the security process for the SwiftOpenAPIGenerator project.
4+
5+
## Disclosures
6+
7+
### Private Disclosure Process
8+
9+
The SwiftOpenAPIGenerator team asks that known and suspected vulnerabilities be privately
10+
and responsibly disclosed by emailing [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org)
11+
with the details usually included with bug reports.
12+
**Do not file a public issue.**
13+
14+
#### When to report a vulnerability
15+
16+
* You think you have discovered a potential security vulnerability in SwiftOpenAPIGenerator or any of the SwiftOpenAPIGenerator projects.
17+
* You are unsure how a vulnerability affects SwiftOpenAPIGenerator or any of the SwiftOpenAPIGenerator projects.
18+
19+
#### What happens next?
20+
21+
* A member of the team will acknowledge receipt of the report within 3
22+
working days (United States). This may include a request for additional
23+
information about reproducing the vulnerability.
24+
* We will privately inform the Swift Server Work Group ([SSWG][sswg]) of the
25+
vulnerability within 10 days of the report as per their [security
26+
guidelines][sswg-security].
27+
* Once we have identified a fix we may ask you to validate it. We aim to do this
28+
within 30 days. In some cases this may not be possible, for example when the
29+
vulnerability exists at the protocol level and the industry must coordinate on
30+
the disclosure process.
31+
* If a CVE number is required, one will be requested from [MITRE][mitre]
32+
providing you with full credit for the discovery.
33+
* We will decide on a planned release date and let you know when it is.
34+
* Prior to release, we will inform major dependents that a security-related
35+
patch is impending.
36+
* Once the fix has been released we will publish a security advisory on GitHub
37+
and the [SSWG][sswg] will announce the vulnerability on the [Swift
38+
forums][swift-forums-sec].
39+
40+
[sswg]: https://github.com/swift-server/sswg
41+
[sswg-security]: https://github.com/swift-server/sswg/blob/main/process/incubation.md#security-best-practices
42+
[swift-forums-sec]: https://forums.swift.org/c/server/security-updates/
43+
[mitre]: https://cveform.mitre.org/

‎scripts/check-license-headers.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,7 @@ read -ra PATHS_TO_CHECK_FOR_LICENSE <<< "$( \
5050
":(exclude)NOTICE.txt" \
5151
":(exclude)Package.swift" \
5252
":(exclude)README.md" \
53+
":(exclude)SECURITY.md" \
5354
":(exclude)scripts/unacceptable-language.txt" \
5455
":(exclude)docker/*" \
5556
":(exclude)**/*.docc/*" \

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /