From ba638a34c8ca46b58f0edc30623fc9108f22dad0 Mon Sep 17 00:00:00 2001 From: Robb Kidd Date: Fri, 12 Jul 2024 17:53:55 -0400 Subject: [PATCH 1/2] update security reporting policy Steer folks towards reporting security issues for public projects via GitHub's report-privately feature. And a bunch more words around version expectation management and where to report security issues with the product UI/API. --- SECURITY.md | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index c0ce73b..6c7e572 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,3 +1,26 @@ -# Reporting Security Issues +# Security Policy -If you discover a security vulnerability, please open an issue with label `type: security`. +This security policy applies to public projects under the [honeycombio organization][gh-organization] on GitHub. +For security reports involving the services provided at `(ui|ui-eu|api|api-eu).honeycomb.io`, refer to the [Honeycomb Bug Bounty Program][bugbounty] for scope, expectations, and reporting procedures. + +## Security/Bugfix Versions + +Security and bug fixes are generally provided only for the last minor version. +Fixes are released either as part of the next minor version or as an on-demand patch version. + +Security fixes are given priority and might be enough to cause a new version to be released. + +## Reporting a Vulnerability + +We encourage responsible disclosure of security vulnerabilities. +If you find something suspicious, we encourage and appreciate your report! + +### Ways to report + +In order for the vulnerability reports to reach maintainers as soon as possible, the preferred way is to use the "Report a vulnerability" button on the "Security" tab at the top of in the associated project's GitHub repository page. +This creates a private communication channel between the reporter and the maintainers. + +If you are absolutely unable to or have strong reasons not to use GitHub's vulnerability reporting workflow, please reach out to the Honeycomb security team at [security@honeycomb.io](mailto:security@honeycomb.io). + +[gh-organization]: https://github.com/honeycombio +[bugbounty]: https://www.honeycomb.io/bugbountyprogram From 9583df2cd28280ebfd86912b0802e959f04cd625 Mon Sep 17 00:00:00 2001 From: Robb Kidd Date: Fri, 12 Jul 2024 18:10:32 -0400 Subject: [PATCH 2/2] fewer words here maybe --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 6c7e572..71d0fbb 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -17,7 +17,7 @@ If you find something suspicious, we encourage and appreciate your report! ### Ways to report -In order for the vulnerability reports to reach maintainers as soon as possible, the preferred way is to use the "Report a vulnerability" button on the "Security" tab at the top of in the associated project's GitHub repository page. +In order for the vulnerability reports to reach maintainers as soon as possible, the preferred way is to use the "Report a vulnerability" button under the "Security" tab of the associated GitHub project. This creates a private communication channel between the reporter and the maintainers. If you are absolutely unable to or have strong reasons not to use GitHub's vulnerability reporting workflow, please reach out to the Honeycomb security team at [security@honeycomb.io](mailto:security@honeycomb.io).