launchpad-reviewers team mailing list archive

Thread
Date

Re: [Merge] ~alvarocs/launchpad:feature/security_md_update into launchpad:master

To: mp+473581@xxxxxxxxxxxxxxxxxx
From: Clinton Fung <mp+473581@xxxxxxxxxxxxxxxxxx>
Date: Fri, 20 Sep 2024 15:13:51 -0000
In-reply-to: <172684056848.2925680.8943954564096010667.codereview@juju-98d295-prod-launchpad-7>
Reply-to: mp+473581@xxxxxxxxxxxxxxxxxx
Sender: noreply@xxxxxxxxxxxxx

You might also include a short bit of information about what people can expect (e.g. "we'll review and get back to you" or "we'll review but won't respond").

It might also be possible to highlight what we might and might not consider to be security concerns, which could help us reduce the amount of false positives received. We could also add this later.

I think it might also be good to link to the Ubuntu Security disclosure and embargo policy: https://ubuntu.com/security/disclosure-policy

Diff comments:

> diff --git a/SECURITY.md b/SECURITY.md
> new file mode 100644
> index 0000000..0fc7efd
> --- /dev/null
> +++ b/SECURITY.md
> @@ -0,0 +1,17 @@
> +# Launchpad Security Policy
> +
> +If you discover a security vulnerability, please follow the steps outlined below to report it:
> +
> +1. **Do not** publicly disclose the vulnerability.
> +2. Contact us via email at [feedback@xxxxxxxxxxxxx](mailto:feedback@xxxxxxxxxxxxx).
> +3. Provide detailed information about the vulnerability, including:
> +   - A description of the vulnerability.
> +   - Steps to reproduce the issue.
> +   - Potential impact and affected versions.
> +   - Suggested mitigations, if possible.
> +
> +Alternatively, you may report vulnerabilities via [Launchpad's private bug system](https://bugs.launchpad.net/).

I think we could omit this altogether for a start, and then figure out how to make this a better experience later. I worry about the possibility of leaking private information with this route, whereas it's much less likely for the private e-mail mechanism.

> +
> +The [Ubuntu Security disclosure and embargo policy](https://ubuntu.com/security/disclosure-policy) contains more information about what you can expect when you contact us and what we expect from you.
> +
> +The Launchpad team will be notified of the issue, review the vulnerability, assign a CVE, and coordinate the release of the fix.
> \ No newline at end of file


-- 
https://code.launchpad.net/~alvarocs/launchpad/+git/launchpad/+merge/473581
Your team Launchpad code reviewers is requested to review the proposed merge of ~alvarocs/launchpad:feature/security_md_update into launchpad:master.

Follow ups

Re: [Merge] ~alvarocs/launchpad:feature/security_md_update into launchpad:master
From: Alvaro Crespo Serrano, 2024-09-20

References

Re: [Merge] ~alvarocs/launchpad:feature/security_md_update into launchpad:master
From: Yuliy Schwartzburg, 2024-09-20