Ver código fonte

docs: Document behavior for duplicate security issues

jamesread 2 semanas atrás
pai
commit
0df9ff1806
1 arquivos alterados com 12 adições e 7 exclusões
  1. 12 7
      SECURITY.md

+ 12 - 7
SECURITY.md

@@ -13,15 +13,15 @@ To understand more about 2k vs 3k, see the following docs; https://docs.olivetin
 
 ## OliveTin *is* a remote code execution (RCE) "tool"
 
-The very purpose of OliveTin is to allow users to execute commands remotely on a machine. 
+The very purpose of OliveTin is to allow users to execute commands remotely on a machine.
 
-This means that, by design, OliveTin has much higher potential to be used for remote code execution (RCE), and any security vulnerabilities that do occur have the potential to be much more severe than in other types of software. 
+This means that, by design, OliveTin has much higher potential to be used for remote code execution (RCE), and any security vulnerabilities that do occur have the potential to be much more severe than in other types of software.
 
 We hope that you understand that while the project goes to great aims to be safe, and mitigate, that security vulnerabilities are inevitable, as they are with all software of all sizes - like Kubernetes, the Kernel, etc - and OliveTin has substantially less resources than those projects.
 
 With that being said, OliveTin tries to follow examples of best practice, so judge the project not on if/when it has security issues, but how security issues are responded to as the measure of quality.
 
-This is why we take security very seriously, and why we encourage responsible disclosure practices when reporting vulnerabilities. 
+This is why we take security very seriously, and why we encourage responsible disclosure practices when reporting vulnerabilities.
 
 ## Reporting a Vulnerability
 
@@ -29,7 +29,7 @@ Please use responsible disclosure practices when reporting a vulnerability. **Yo
 
 * **Option A (preferred)**: GitHub Security Advisories, which allows you to report a vulnerability privately and securely. Use this direct link to report privately: `https://github.com/OliveTin/OliveTin/security/advisories/new`. This allows you to provide details without making them public.
 
-* **Option B**: Please email `contact@jread.com` for responsible disclosure. 
+* **Option B**: Please email `contact@jread.com` for responsible disclosure.
 
 The following notes might be helpful when reporting a vulnerability:
 
@@ -41,15 +41,20 @@ The following notes might be helpful when reporting a vulnerability:
 
 It is incredibly useful to not just patch security vulnerabilities, but also to understand how they were found. If you are able to share this information, it can help us and the community to better understand potential attack vectors and improve the overall security of the project.
 
+## Duplicate reports
+
+If you are reporting via GitHub Security Advisories, search existing [repository advisories](https://github.com/OliveTin/OliveTin/security/advisories) for the same component and attack path before filing. Maintainers may close duplicate submissions and continue work on a single canonical advisory; duplicate reporters are still credited.
+
+Maintainers: see [.github/SECURITY_ADVISORY_DUPLICATES.md](.github/SECURITY_ADVISORY_DUPLICATES.md) for known duplicate pairs, triage steps, and OAuth2 issues that are easy to confuse with each other.
+
 ## Process
 
 Once a vulnerability is reported, the process is;
 
+* Check [.github/SECURITY_ADVISORY_DUPLICATES.md](.github/SECURITY_ADVISORY_DUPLICATES.md) and open advisories for duplicates before accepting.
 * Accept or reject the report, and communicate with the reporter about next steps.
 * If accepted, patch using a temporary branch, and code review will be requested from the original reporter if they are interested.
 * The severity of the vulnerability will be assessed using CVSS, and the patch will be prioritised accordingly.
 * Once the patch is ready, it will be queued for a release onto the `next` branch (3k) or `release/2k` branch (2k)
 * The reporter will be credited in the advisory and the release notes, but not the commit message.
-* The commit message will contain a reference to the CVSS score (eg: MED) and the advisory ID. 
-
-
+* The commit message will contain a reference to the CVSS score (eg: MED) and the advisory ID.