Contrib.social

Update policy to explicitly state security issues will be handled privately

Open on Drupal.org β†’
Created on 2 September 2022, almost 3 years ago
Updated 2 September 2024, 10 months ago

Problem/Motivation

The current git access agreements have a security-related loophole whereby it says "I will cooperate with the Drupal Security Team as needed." but does not specifically state that issues identified as security related will be opened as private issues instead of being left public.

Proposed resolution

Add wording to the git access agreement that specifically states that issues identified as security related will be opened as private issues instead of being left as public issues.

Remaining tasks

Work out the correct location to add wording.
Work out good wording for this issue.

✨ Feature request
Status

Active

Version

1.0

Component

Security Working Group (policy questions)

Created by

πŸ‡ΊπŸ‡ΈUnited States damienmckenna NH, USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 10 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    Adding some context to my post in #4 as the issues that caused my concern are now public, site owners have had time to install them.

    At the time I was dealing with the Drupal Security Team allowing Drupal Core vulnerabilities to go without a fix for years after the initial reports were made. Specifically SA-CORE-2023-005 was an issue that was a concern. I had finished SA-CORE-2022-012 after an extended period of time to resolve (where the original concerns I raised were never actually fixed). Additionally I had negative experiences with the DST coordinating with Contrib maintainers who are non-responsive.

    I agree security issues should initially be discussed in private, and that we do not do enough to facilitate this.

    I am very concerned a policy threatening GIT access right could be abused to punish security consultants forcing us to choose between allowing security vulnerabilities to go unreported/unfixed or to loose our ability to maintain our own projects.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024