From 03a12644c8401df03c63b7ad83ae30ca357510bf Mon Sep 17 00:00:00 2001 From: wlandau Date: Sun, 17 Nov 2024 11:28:32 -0500 Subject: [PATCH 1/6] Edit security policy --- security.md | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/security.md b/security.md index 2792c19..98337f1 100644 --- a/security.md +++ b/security.md @@ -4,17 +4,32 @@ title: "Security Policy" Security threats and vulnerabilities affect everyone using R-multiverse. Issues may include (but are not limited to): +* Malware in R packages contributed to R-multiverse. * Unauthorized access to or its repositories. * Malicious attempts to inundate with pull requests. * Other [denial of service (DoS) attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack) on the [R-multiverse bot](https://github.com/apps/r-multiverse) or other infrastructure. +# Protecting package users + +If you notice a security issue or other vulnerability in an R package contributed to R-multiverse, please report it: + +1. Open an issue at . In the comments, please notify the R-multiverse administrators and moderators using `@r-multiverse/administrators` and `@r-multiverse/moderators`, respectively. +2. Add the affected versions of the package to the [R Consortium Advisory Database](https://github.com/RConsortium/r-advisory-database). + +# Protecting R-multiverse + Please help keep R-multiverse operational. -In the event of publicly visible malicious behavior, such as a [DoS attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) on , please: + +## Public attacks + +In the event of publicly visible malicious activity in R-multiverse infrastructure, such as a [DoS attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) on , please: 1. [Report abuse or spam](https://docs.github.com/en/communities/maintaining-your-safety-on-github/reporting-abuse-or-spam) through GitHub. -2. Open an issue at to inform R-multiverse administrators. +2. Open an issue at to inform R-multiverse administrators and moderators. -If you notice a vulnerability that an attacker could potentially exploit, please [report it privately](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability). +## Private vulnerability reporting + +If you notice a vulnerability that an attacker has not yet exploited, please [report it privately](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability). Confidentiality helps fix the problem before most attackers even know about it. After remediation, R-multiverse administrators will open an issue at to inform community about the vulnerability and its resolution. @@ -24,3 +39,4 @@ The steps to [privately report vulnerabilities](https://docs.github.com/en/code- 2. Under "Private vulnerability reporting", click "Report a vulnerability". 3. Describe the issue in the advisory details form. 4. At the bottom, click "Submit report". GitHub will then add you as a collaborator on the proposed security advisory you created. + From cec1d7f512f52cea40d06e325a782a90efb9edab Mon Sep 17 00:00:00 2001 From: wlandau Date: Sun, 17 Nov 2024 11:28:52 -0500 Subject: [PATCH 2/6] edit title --- security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security.md b/security.md index 98337f1..73bd3ad 100644 --- a/security.md +++ b/security.md @@ -9,7 +9,7 @@ Security threats and vulnerabilities affect everyone using R-multiverse. Issues * Malicious attempts to inundate with pull requests. * Other [denial of service (DoS) attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack) on the [R-multiverse bot](https://github.com/apps/r-multiverse) or other infrastructure. -# Protecting package users +# Protecting R-multiverse users If you notice a security issue or other vulnerability in an R package contributed to R-multiverse, please report it: From 449617080b9df0f8b40e8d38fa232bd99cb062b8 Mon Sep 17 00:00:00 2001 From: wlandau Date: Sun, 17 Nov 2024 13:00:57 -0500 Subject: [PATCH 3/6] headings --- security.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/security.md b/security.md index 73bd3ad..ca4da4f 100644 --- a/security.md +++ b/security.md @@ -9,25 +9,25 @@ Security threats and vulnerabilities affect everyone using R-multiverse. Issues * Malicious attempts to inundate with pull requests. * Other [denial of service (DoS) attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack) on the [R-multiverse bot](https://github.com/apps/r-multiverse) or other infrastructure. -# Protecting R-multiverse users +## Protecting R-multiverse users If you notice a security issue or other vulnerability in an R package contributed to R-multiverse, please report it: 1. Open an issue at . In the comments, please notify the R-multiverse administrators and moderators using `@r-multiverse/administrators` and `@r-multiverse/moderators`, respectively. 2. Add the affected versions of the package to the [R Consortium Advisory Database](https://github.com/RConsortium/r-advisory-database). -# Protecting R-multiverse +## Protecting R-multiverse Please help keep R-multiverse operational. -## Public attacks +### Public attacks In the event of publicly visible malicious activity in R-multiverse infrastructure, such as a [DoS attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) on , please: 1. [Report abuse or spam](https://docs.github.com/en/communities/maintaining-your-safety-on-github/reporting-abuse-or-spam) through GitHub. 2. Open an issue at to inform R-multiverse administrators and moderators. -## Private vulnerability reporting +### Private vulnerability reporting If you notice a vulnerability that an attacker has not yet exploited, please [report it privately](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability). Confidentiality helps fix the problem before most attackers even know about it. From b916cbd125bb9896c9547c3fa7a9afb977ec09da Mon Sep 17 00:00:00 2001 From: Will Landau <1580860+wlandau@users.noreply.github.com> Date: Mon, 18 Nov 2024 10:40:37 -0500 Subject: [PATCH 4/6] Update security.md Co-authored-by: Charlie Gao <53399081+shikokuchuo@users.noreply.github.com> --- security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security.md b/security.md index ca4da4f..b128b5b 100644 --- a/security.md +++ b/security.md @@ -4,7 +4,7 @@ title: "Security Policy" Security threats and vulnerabilities affect everyone using R-multiverse. Issues may include (but are not limited to): -* Malware in R packages contributed to R-multiverse. +* Malware or exploitable code in R packages contributed to R-multiverse. * Unauthorized access to or its repositories. * Malicious attempts to inundate with pull requests. * Other [denial of service (DoS) attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack) on the [R-multiverse bot](https://github.com/apps/r-multiverse) or other infrastructure. From 26481a8d431fa0b9e57c8213b066200b6b7e609e Mon Sep 17 00:00:00 2001 From: Will Landau <1580860+wlandau@users.noreply.github.com> Date: Mon, 18 Nov 2024 11:04:42 -0500 Subject: [PATCH 5/6] Consider security issues in R packages --- security.md | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/security.md b/security.md index b128b5b..843b107 100644 --- a/security.md +++ b/security.md @@ -11,10 +11,25 @@ Security threats and vulnerabilities affect everyone using R-multiverse. Issues ## Protecting R-multiverse users -If you notice a security issue or other vulnerability in an R package contributed to R-multiverse, please report it: +If you notice a security issue in an R package contributed to R-multiverse, please report it. +### Contact the package authors + +First, please inform the package authors about the issue. If the vulnerability is still active, please report privately to prevent potential attackers from learning about it. +Some packages support [private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) through GitHub, +while in other cases, you may need to email the maintainer listed in the packages `DESCRIPTION` file. + +### Contact R-multiverse + +If the package authors do not respond, or if otherwise appropriate, please inform R-multiverse confidentially at . +(See the "Private vulnerability reporting" section below). + +### Notify the community + +When the package vulnerability is resolved (or if the issue is still unresolved but public reporting poses no risk), please notify the community: + +1. Add the affected versions of the package to the [R Consortium Advisory Database](https://github.com/RConsortium/r-advisory-database) so that R-multiverse infrastructure can automatically detect the security issue. 1. Open an issue at . In the comments, please notify the R-multiverse administrators and moderators using `@r-multiverse/administrators` and `@r-multiverse/moderators`, respectively. -2. Add the affected versions of the package to the [R Consortium Advisory Database](https://github.com/RConsortium/r-advisory-database). ## Protecting R-multiverse @@ -25,18 +40,17 @@ Please help keep R-multiverse operational. In the event of publicly visible malicious activity in R-multiverse infrastructure, such as a [DoS attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) on , please: 1. [Report abuse or spam](https://docs.github.com/en/communities/maintaining-your-safety-on-github/reporting-abuse-or-spam) through GitHub. -2. Open an issue at to inform R-multiverse administrators and moderators. +1. Open an issue at to inform R-multiverse administrators and moderators. ### Private vulnerability reporting -If you notice a vulnerability that an attacker has not yet exploited, please [report it privately](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability). +If you notice a vulnerability in R-multiverse that an attacker has not yet exploited, please [report it privately](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability). Confidentiality helps fix the problem before most attackers even know about it. After remediation, R-multiverse administrators will open an issue at to inform community about the vulnerability and its resolution. The steps to [privately report vulnerabilities](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) are: 1. Navigate to . -2. Under "Private vulnerability reporting", click "Report a vulnerability". -3. Describe the issue in the advisory details form. -4. At the bottom, click "Submit report". GitHub will then add you as a collaborator on the proposed security advisory you created. - +1. Under "Private vulnerability reporting", click "Report a vulnerability". +1. Describe the issue in the advisory details form. +1. At the bottom, click "Submit report". GitHub will then add you as a collaborator on the proposed security advisory you created. From edd9280a46936c96da9bb8b11077a451b618b996 Mon Sep 17 00:00:00 2001 From: Will Landau <1580860+wlandau@users.noreply.github.com> Date: Mon, 18 Nov 2024 11:06:55 -0500 Subject: [PATCH 6/6] grammar --- security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security.md b/security.md index 843b107..4f7ce0c 100644 --- a/security.md +++ b/security.md @@ -17,7 +17,7 @@ If you notice a security issue in an R package contributed to R-multiverse, plea First, please inform the package authors about the issue. If the vulnerability is still active, please report privately to prevent potential attackers from learning about it. Some packages support [private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) through GitHub, -while in other cases, you may need to email the maintainer listed in the packages `DESCRIPTION` file. +while in other cases, you may need to email the maintainer listed in the package `DESCRIPTION` file. ### Contact R-multiverse