Página inicial Explorar Ajuda
Registrar Entrar
FangSoftSoft
/
swift-log
2
0
Fork 0
Arquivos Issues 0 Pull Requests 0 Wiki
Ver código fonte

adopt security guidelines (#197)

Johannes Weiss 4 anos atrás
pai
65a8e5e921
commit
7ebe44cb03
2 arquivos alterados com 47 adições e 0 exclusões
Visão dividida Mostrar estatísticas do Diff
  1. 4 0
      README.md
  2. 43 0
      SECURITY.md

+ 4 - 0
README.md
Ver arquivo 

@@ -202,6 +202,10 @@ around between libraries to preserve metadata and the like.
 
 If you want to filter all log messages originating from a certain subsystem, filter by `source` which defaults to the module that is emitting the
 
 log message.
 
 
+## Security
 
+
 
+Please see [SECURITY.md](SECURITY.md) for SwiftLog's security process.
 
+
 
 ## Design
 
 
 This logging API was designed with the contributors to the Swift on Server community and approved by the [SSWG (Swift Server Work Group)](https://swift.org/server/) to the 'sandbox level' of the SSWG's [incubation process](https://github.com/swift-server/sswg/blob/master/process/incubation.md).

+ 43 - 0
SECURITY.md
Ver arquivo 

@@ -0,0 +1,43 @@
 
+# Security
 
+
 
+This document specifies the security process for the SwiftLog project.
 
+
 
+## Disclosures
 
+
 
+### Private Disclosure Process
 
+
 
+The SwiftLog maintainers ask that known and suspected vulnerabilities be
 
+privately and responsibly disclosed by emailing
 
+[sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org)
 
+with the all the required detail.
 
+**Do not file a public issue.**
 
+
 
+#### When to report a vulnerability
 
+
 
+* You think you have discovered a potential security vulnerability in SwiftLog.
 
+* You are unsure how a vulnerability affects SwiftLog.
 
+
 
+#### What happens next?
 
+
 
+* A member of the team will acknowledge receipt of the report within 3
 
+  working days (United States). This may include a request for additional
 
+  information about reproducing the vulnerability.
 
+* We will privately inform the Swift Server Work Group ([SSWG][sswg]) of the
 
+  vulnerability within 10 days of the report as per their [security
 
+  guidelines][sswg-security].
 
+* Once we have identified a fix we may ask you to validate it. We aim to do this
 
+  within 30 days. In some cases this may not be possible, for example when the
 
+  vulnerability exists at the protocol level and the industry must coordinate on
 
+  the disclosure process.
 
+* If a CVE number is required, one will be requested from [MITRE][mitre]
 
+  providing you with full credit for the discovery.
 
+* We will decide on a planned release date and let you know when it is.
 
+* Prior to release, we will inform major dependents that a security-related
 
+  patch is impending.
 
+* Once the fix has been released we will publish a security advisory on GitHub
 
+  and in the Server → Security Updates category on the [Swift forums][swift-forums-sec].
 
+
 
+[sswg]: https://github.com/swift-server/sswg
 
+[sswg-security]: https://github.com/swift-server/sswg/blob/main/security/README.md
 
+[swift-forums-sec]: https://forums.swift.org/c/server/security-updates/
 
+[mitre]: https://cveform.mitre.org/