diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2017-03-07 08:33:27 -0500 |
---|---|---|
committer | Martin Pitt <martinpitt@users.noreply.github.com> | 2017-03-07 14:33:27 +0100 |
commit | c2205a0d4f23850f541198c1b9e5ac9bda6628b4 (patch) | |
tree | ddb524fe72d7a20de35ad2fe36ab797cf3c2a044 /.github | |
parent | f013e99e160f385a0c02793c612ef4c8a8ffc4d7 (diff) | |
download | systemd-c2205a0d4f23850f541198c1b9e5ac9bda6628b4.tar.gz |
docs: add a note about reporting security vulns (#5541)
We *do* have the occasional security issue, where it would be nice to have
non-public disclosure and time to fix the issue before it's fully public. Our
github infrastracture does not make it easy to report vulnerabilities in
confidential manner, so let's leverage the distro mechanisms for that. I
think we're better off with this solution than leaving it up to individual
reporters to discover some mechanism on their own.
Diffstat (limited to '.github')
-rw-r--r-- | .github/CONTRIBUTING.md | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md index abee9cc740..bb04e2ccca 100644 --- a/.github/CONTRIBUTING.md +++ b/.github/CONTRIBUTING.md @@ -11,6 +11,10 @@ We welcome contributions from everyone. However, please follow the following gui Following these guidelines makes it easier for us to process your issue, and ensures we won't close your issue right-away for being misfiled. +## Security vulnerability reports + +If you discover a security vulnerability, we'd appreciate a non-public disclosure. The issue tracker and mailing list listed above are fully public. If you need to reach systemd developers in a non-public way, report the issue in one of the "big" distributions using systemd: [Fedora](https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=systemd) (be sure to check "Security Sensitive Bug" under "Show Advanced Fields"), [Ubuntu](https://launchpad.net/ubuntu/+source/systemd/+filebug) (be sure to change "This bug contains information that is" from "Public" to "Private Security"), or [Debian](mailto:security@debian.org). Various systemd developers are active distribution maintainers and will propagate the information about the bug to other parties. + ## Posting Pull Requests * Make sure to post PRs only relative to a very recent git master. |