Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create a Security Policy #1511

Open
joycebrum opened this issue Mar 20, 2023 · 7 comments · May be fixed by #1512
Open

Create a Security Policy #1511

joycebrum opened this issue Mar 20, 2023 · 7 comments · May be fixed by #1512

Comments

@joycebrum
Copy link
Contributor

A Security Policy is a GitHub standard document (SECURITY.md) that can be seen in the “Security Tab” to instruct users about how to report vulnerability in the safest and most efficient way possible.

image

It is a Scorecard Recommendation (being one check of medium priority) and a Github Recommendation.

Together with this issue I’ll submit one suggestion of Security Policy, feel free to edit it directly or ask me for editions until it is in compliance with how JNA would best handle with vulnerabilities reports.

@joycebrum joycebrum linked a pull request Mar 20, 2023 that will close this issue
@dblock
Copy link
Member

dblock commented Mar 24, 2023

There's $100/month on Tidelift for JNA, https://tidelift.com/lifter/search/maven/net.java.dev.jna:jna, with TideLift and we could enable enterprise support using them. I can set it up, and we'd have to figure out how to distribute the $. I've had good success in other projects. Maybe @matthiasblaesing, @twall and others are interested?

Here's a security policy I use for other lifted projects: https://github.com/slack-ruby/slack-ruby-client/blob/master/SECURITY.md

@matthiasblaesing
Copy link
Member

Right now I'm not interested in contracted work on JNA.

@dblock
Copy link
Member

dblock commented Mar 24, 2023

Right now I'm not interested in contracted work on JNA.

Right. Neither am I. Tidelift takes care of being the one with a contract for security patching work. It just happens to offer some money, which we can distribute via GitHub sponsors for example. Care to take a look at say what you think about it?

@dbwiddis
Copy link
Contributor

There's $100/month on Tidelift for JNA, https://tidelift.com/lifter/search/maven/net.java.dev.jna:jna, with TideLift and we could enable enterprise support using them. I can set it up, and we'd have to figure out how to distribute the $. I've had good success in other projects. Maybe @matthiasblaesing, @twall and others are interested?

I have set up my JNA-based project on Tidelift. It's not that much work to set up (making sure you have a security policy stated which you can copy and paste pointing to them), point to where release notes are, and list the currently supported branch(es).

It does somewhat create the expectation of "support" in terms of fixing bugs, but I think we already do our best to do that anyway.

@dblock
Copy link
Member

dblock commented Mar 28, 2023

These are the folks with maintain/write permissions:
@twall @matthiasblaesing @lgoldstein @bhamail @krosenvold @toddfast @dbwiddis

Would you be ok adding TideLift to this project? Appreciate a yes/no from some majority, and as before I think @twall can veto/decide if we have a tie.

I can do all the work to set it up, collect the $100/mo via my LLC, pay taxes, and redistribute it via GH sponsors if anyone wants some and has it setup.

I think any organization that wants to pay open-source contributors, however little it is, is a good thing. So my vote is a yes.

@dbwiddis
Copy link
Contributor

dbwiddis commented Mar 28, 2023 via email

@joycebrum
Copy link
Contributor Author

Hi @twall @matthiasblaesing @lgoldstein @bhamail @krosenvold @toddfast any thoughts about this? We can either configure Tidelift or use Github Security Advisory to receive vulnerability reports.

Let me know what you rather do.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants