-
-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify the security issue process #32
Comments
Here is my suggestion on how we can improve the current process, and how we can make sure security is a prioritization: I suggest we use https://docs.github.com/en/code-security/security-advisories throughout the process. We create a The team should also bring awareness to more global issues or suggestions as they have the full picture of related security issues. To create a sense of urgency, I would suggest that we give the maintainers 90 days (it seem to be the standard) to provide a fix in private, if more time passes the security audit will be made public to notify relevant stakeholders of the issue. if the issue is fixed earlier then that it is of course released ASAP. I suggest we add the entire process to https://github.com/asyncapi/.github/blob/master/SECURITY.md as well as exposure on the website about the team its role and how to help out. For the team itself, I suggest we start utilizing the TSC for voting purposes to select the This is just an idea from my side but could be really awesome if the group made assessments of tooling on their own periodically. I think we will have to keep the initial process and work for the group as minimal as possible and add more tasks later. References: |
This issue has been automatically marked as stale because it has not had recent activity 😴 |
@derberg any process in terms of the TSC progress to enable the vote on this? |
no progress yet, might be that AsyncAPI conference setup will speed up cleanup here and maintenance of TSC members list |
This issue has been automatically marked as stale because it has not had recent activity 😴 It will be closed in 120 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation. There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model. Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here. Thank you for your patience ❤️ |
This issue has been automatically marked as stale because it has not had recent activity 😴 It will be closed in 120 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation. There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model. Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here. Thank you for your patience ❤️ |
@jonaslagoni voting is possible now, in case you want to continue working on this one |
I don't have the bandwidth to solo take this on at the moment and it's not that pressing to prioritize it at the moment. Maybe next year for me. If others want to take it up, feel free 👍 |
This issue has been automatically marked as stale because it has not had recent activity 😴 It will be closed in 120 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation. There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model. Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here. Thank you for your patience ❤️ |
This issue has been automatically marked as stale because it has not had recent activity 😴 It will be closed in 120 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation. There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model. Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here. Thank you for your patience ❤️ |
I was wondering if there are maybe some foundations or other organizations that sponsor |
This issue has been automatically marked as stale because it has not had recent activity 😴 It will be closed in 120 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation. There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. AsyncAPI Initiative is a Linux Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model. Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here. Thank you for your patience ❤️ |
Let's keep it open, so we get reminded. I'm exploring options for more funding and how we could hire more people by the initiative to own such topics |
Reason/Context
With more and more tools, we increase the attack surface that might be leveraged in unintended ways. We should provide a structure where code owners and maintainers can spare and help each other solve security issues.
The current security policy we have: https://github.com/asyncapi/community/security/policy (What happens when someone sends an email to this? I have no idea 🤷). Are we using the security advisory feature on GitHub on each repository?
Description
Therefore we should provide a clear structure for everyone evolved to know the entire process. From the reporter to the one fixing the issue.
The text was updated successfully, but these errors were encountered: