addressing PR comments
This commit is contained in:
parent
0e1093e3bb
commit
bdb5a6ebef
|
@ -2,12 +2,12 @@
|
|||
This document outlines the process of using Github issues to coordinate security issues of a given project.
|
||||
|
||||
## Should you use Github issues?
|
||||
Before submitting any issues, the disclosure should have already engaged in a conversation with the Status Security team about appropriate methods of disclosure for a given project. This should be described in the SECURITY.md file within any given repository. If it is not, then follow the advice of this repository's README.md. If the discloser is still unsure, then please request guidance at security@status.im.
|
||||
Before submitting any issues, the Discloser should have already engaged in a conversation with the Status Security team about appropriate methods of disclosure for a given project. This should be described in the SECURITY.md file within any given repository. If it is not, then follow the advice of this repository's README.md. If the discloser is still unsure, then please request guidance at security@status.im.
|
||||
|
||||
## Process
|
||||
Once the discloser is aware that Github issues are the appropriate methodology of disclosure, the following procedure is **RECOMMENDED****:
|
||||
- A github issue **MUST** be created for ever individual assessment discovery
|
||||
- a `difficulty` label **MUST** be added to every issue
|
||||
- a `difficulty` label **MUST** be added to every issue. Note this it to track _difficulty of exploiting the vulnerability_.
|
||||
- The following options are available:
|
||||
- `difficulty:low`
|
||||
- `difficulty:medium`
|
||||
|
@ -22,6 +22,7 @@ Once the discloser is aware that Github issues are the appropriate methodology o
|
|||
- `severity:high`
|
||||
- `severity:critical`
|
||||
- `severity:undetermined`
|
||||
- Use [this](https://www.first.org/cvss/calculator/3.0) resource to help guide which label is appropriate.
|
||||
- a `status` label **MUST** be added to every issue
|
||||
- The following options are available:
|
||||
- `status:information-needed`
|
||||
|
@ -37,7 +38,7 @@ Once the discloser is aware that Github issues are the appropriate methodology o
|
|||
- `type:arch`
|
||||
- `type:enhancement`
|
||||
- a Status owner **SHOULD** be named as decided by the security coordinator to every issue
|
||||
- a Vender owner **SHOULD** be named as decided by the vendor to every issue
|
||||
- a Vendor owner **SHOULD** be named as decided by the vendor to every issue
|
||||
- The details of any given issues are as follows:
|
||||
- a description of the issue **MUST** be included that outlines the specifics of the disclosure
|
||||
- an exploit scenario **SHOULD** be included that outlines an example of the potential impact
|
||||
|
|
Loading…
Reference in New Issue