addressing PR comments

This commit is contained in:
Corey 2020-03-23 14:58:12 -04:00
parent 0e1093e3bb
commit bdb5a6ebef
No known key found for this signature in database
GPG Key ID: 724684AF1BAAC90F
1 changed files with 4 additions and 3 deletions

View File

@ -2,12 +2,12 @@
This document outlines the process of using Github issues to coordinate security issues of a given project.
## Should you use Github issues?
Before submitting any issues, the disclosure should have already engaged in a conversation with the Status Security team about appropriate methods of disclosure for a given project. This should be described in the SECURITY.md file within any given repository. If it is not, then follow the advice of this repository's README.md. If the discloser is still unsure, then please request guidance at security@status.im.
Before submitting any issues, the Discloser should have already engaged in a conversation with the Status Security team about appropriate methods of disclosure for a given project. This should be described in the SECURITY.md file within any given repository. If it is not, then follow the advice of this repository's README.md. If the discloser is still unsure, then please request guidance at security@status.im.
## Process
Once the discloser is aware that Github issues are the appropriate methodology of disclosure, the following procedure is **RECOMMENDED****:
- A github issue **MUST** be created for ever individual assessment discovery
- a `difficulty` label **MUST** be added to every issue
- a `difficulty` label **MUST** be added to every issue. Note this it to track _difficulty of exploiting the vulnerability_.
- The following options are available:
- `difficulty:low`
- `difficulty:medium`
@ -22,6 +22,7 @@ Once the discloser is aware that Github issues are the appropriate methodology o
- `severity:high`
- `severity:critical`
- `severity:undetermined`
- Use [this](https://www.first.org/cvss/calculator/3.0) resource to help guide which label is appropriate.
- a `status` label **MUST** be added to every issue
- The following options are available:
- `status:information-needed`
@ -37,7 +38,7 @@ Once the discloser is aware that Github issues are the appropriate methodology o
- `type:arch`
- `type:enhancement`
- a Status owner **SHOULD** be named as decided by the security coordinator to every issue
- a Vender owner **SHOULD** be named as decided by the vendor to every issue
- a Vendor owner **SHOULD** be named as decided by the vendor to every issue
- The details of any given issues are as follows:
- a description of the issue **MUST** be included that outlines the specifics of the disclosure
- an exploit scenario **SHOULD** be included that outlines an example of the potential impact