launchpad-reviewers team mailing list archive

[Ines Almeida <mp+473581@xxxxxxxxxxxxxxxxxx>]

Diff comments:

> diff --git a/SECURITY.md b/SECURITY.md
> new file mode 100644
> index 0000000..0fc7efd
> --- /dev/null
> +++ b/SECURITY.md
> @@ -0,0 +1,17 @@
> +# Launchpad Security Policy
> +
> +If you discover a security vulnerability, please follow the steps outlined below to report it:
> +
> +1. **Do not** publicly disclose the vulnerability.
> +2. Contact us via email at [feedback@xxxxxxxxxxxxx](mailto:feedback@xxxxxxxxxxxxx).
> +3. Provide detailed information about the vulnerability, including:
> +   - A description of the vulnerability.
> +   - Steps to reproduce the issue.
> +   - Potential impact and affected versions.
> +   - Suggested mitigations, if possible.
> +
> +Alternatively, you may report vulnerabilities via [Launchpad's private bug system](https://bugs.launchpad.net/).

We should maybe be explicit on how to report it to be private because by default it will be public. Something like "Make sure to select ..." type of sentence

> +
> +The [Ubuntu Security disclosure and embargo policy](https://ubuntu.com/security/disclosure-policy) contains more information about what you can expect when you contact us and what we expect from you.
> +
> +The Launchpad team will be notified of the issue, review the vulnerability, assign a CVE, and coordinate the release of the fix.
> \ No newline at end of file

Nit: I'd add an extra line at the end of the file :)



-- 
https://code.launchpad.net/~alvarocs/launchpad/+git/launchpad/+merge/473581
Your team Launchpad code reviewers is requested to review the proposed merge of ~alvarocs/launchpad:feature/security_md_update into launchpad:master.