summaryrefslogtreecommitdiff
path: root/.github
diff options
context:
space:
mode:
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2017-03-07 08:33:27 -0500
committerMartin Pitt <martinpitt@users.noreply.github.com>2017-03-07 14:33:27 +0100
commitc2205a0d4f23850f541198c1b9e5ac9bda6628b4 (patch)
treeddb524fe72d7a20de35ad2fe36ab797cf3c2a044 /.github
parentf013e99e160f385a0c02793c612ef4c8a8ffc4d7 (diff)
downloadsystemd-c2205a0d4f23850f541198c1b9e5ac9bda6628b4.tar.gz
docs: add a note about reporting security vulns (#5541)
We *do* have the occasional security issue, where it would be nice to have non-public disclosure and time to fix the issue before it's fully public. Our github infrastracture does not make it easy to report vulnerabilities in confidential manner, so let's leverage the distro mechanisms for that. I think we're better off with this solution than leaving it up to individual reporters to discover some mechanism on their own.
Diffstat (limited to '.github')
-rw-r--r--.github/CONTRIBUTING.md4
1 files changed, 4 insertions, 0 deletions
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
index abee9cc740..bb04e2ccca 100644
--- a/.github/CONTRIBUTING.md
+++ b/.github/CONTRIBUTING.md
@@ -11,6 +11,10 @@ We welcome contributions from everyone. However, please follow the following gui
Following these guidelines makes it easier for us to process your issue, and ensures we won't close your issue right-away for being misfiled.
+## Security vulnerability reports
+
+If you discover a security vulnerability, we'd appreciate a non-public disclosure. The issue tracker and mailing list listed above are fully public. If you need to reach systemd developers in a non-public way, report the issue in one of the "big" distributions using systemd: [Fedora](https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=systemd) (be sure to check "Security Sensitive Bug" under "Show Advanced Fields"), [Ubuntu](https://launchpad.net/ubuntu/+source/systemd/+filebug) (be sure to change "This bug contains information that is" from "Public" to "Private Security"), or [Debian](mailto:security@debian.org). Various systemd developers are active distribution maintainers and will propagate the information about the bug to other parties.
+
## Posting Pull Requests
* Make sure to post PRs only relative to a very recent git master.