-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding details about CVEs in third party dependencies #5941
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved.
content/security/index.adoc
Outdated
This project is configured in such a way that only the reporter, the maintainers, and the Jenkins security team can see the details. | ||
Restricting access to this potentially sensitive information allows core and plugin maintainers to develop effective security fixes that are safe to apply. | ||
We provide issue reporting guidelines and an overview of our process on link:reporting[Reporting Security Vulnerabilities]. | ||
|
||
If you are unable to report using our issue tracker, you can also send your report to the private Jenkins Security Team mailing list: | ||
`[email protected]` | ||
|
||
IMPORTANT: Do not contact the Jenkins security team asking us for compliance documents, certifications, or to fill out a questionnaire. | ||
We will not respond to such queries. | ||
If we consider it necessary to provide a statement in response to incidents such as link:/blog/2021/12/10/log4j2-rce-CVE-2021-44228/[log4shell] or link:/blog/2022/03/31/spring-rce-CVE-2022-22965/[SpringShell], you will find a response in our link:/node/[blog]. | ||
|
||
To show our appreciation for your help, we'll send you link:/security/gift/[a small reward] for privately reported, valid vulnerability reports. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FTR the redundancy here was deliberate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would you suggest to keep this redundancy?
I see the interest of having the information as close as the potential reporters but also the drawback of having two pages talking about the same things in a sense.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would you suggest to keep this redundancy?
Yes.
I see the interest of having the information as close as the potential reporters but also the drawback of having two pages talking about the same things in a sense.
One is the quick summary, the other is the full level of detail. (Of course, if we feel we need to add more details to the quick summary, making it too long, like we've kinda started with the IMPORTANT
block here, its value diminishes.)
Co-authored-by: Daniel Beck <[email protected]>
Quickly addressed the merge conflicts I introduced. |
Hi @daniel-beck, I wanted to follow up and see if your concerns were addressed with the updates that have been made. If not, what could be changed to provide the right messaging? |
I liked the phrasing of this enough to quote it in a community.jenkins.io post. |
Pending a conversation with Wadeck we've been postponing repeatedly since January… |
Please take a moment and address the merge conflicts of your pull request. Thanks! |
As the reporting of CVEs is a recurrent topic within the security team, I would like to clarify our standpoint.