From 0ec11d535199114a79dfb6732deafb0de9d5e537 Mon Sep 17 00:00:00 2001 From: Nicco Kunzmann Date: Mon, 23 Dec 2024 13:12:47 +0000 Subject: [PATCH] Apply suggestion for security policy, copied from Pylons See https://github.com/Pylons/.github/blob/main/SECURITY.md See https://github.com/collective/icalendar/pull/755#discussion_r1894708114 --- docs/security.rst | 40 +++++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/docs/security.rst b/docs/security.rst index a053ab71..4a4305ac 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -15,20 +15,42 @@ Security vulnerabilities are fixed only for the latest version of ``icalendar``. * - Version - Supported * - 6.* - - ✅ + - YES * - 5.* - - ❌ + - no * - 4.* - - ❌ + - no * - < 4.* - - ❌ + - no Reporting a Vulnerability ------------------------- -Please `report vulnerabilities of icalendar to Plone -`_. -If you cannot do this, please contact one of the -:ref:`maintainers` -directly or open an issue. +To report security issues of ``collective/icalendar``, use the ``Report a vulnerability`` button on the project's `Security Page `_. +If you cannot do this, please contact one of the :ref:`maintainers` directly. + +If we determine that your report may be a security issue with the project, we may contact you for further information. +We volunteers ask that you delay public disclosure of your report for at least ninety (90) days from the date you report it to us. +This will allow sufficient time for us to process your report and coordinate disclosure with you. + +Once verified and fixed, the following steps will be taken: + +- We will use GitHub's Security Advisory tool to report the issue. +- GitHub will review our Security Advisory report for compliance with Common Vulnerabilities and Exposures (CVE) rules. + If it is compliant, they will submit it to the MITRE Corporation to generate a `CVE `_. + This in turn submits the CVE to the `National Vulnerability Database (NVD) `_. + GitHub notifies us of their decision. +- Assuming it is compliant, we then publish our Security Advisory on GitHub, which triggers the next steps. +- GitHub will publish the CVE to the CVE List. +- GitHub will broadcast our Security Advisory via the `GitHub Advisory Database `_ to all repositories that use our package (and have opted into security alerts). + This includes Dependabot alerts. +- We will make a bug-fix release. +- We will send an announcement through our usual channels: + + - The GitHub release + - The GitHub discussions + - The `Plone Community Forum `_ + +- We will provide credit to the reporter or researcher in the vulnerability notice.