New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft security policy #2163
base: main
Are you sure you want to change the base?
Draft security policy #2163
Conversation
## Reporting a Vulnerability | ||
|
||
Please report security bugs [via GitHub](https://github.com/hickory-dns/hickory-dns/security/advisories/new). | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be good to include a statement here reminding people to not use public issues or PRs to report security issues and also a statement that Hickory doesn't offer a bug bounty at this time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I agree with this.
Speaking from experience with other DNS projects, you might want to mention e.g.:
For starters, I'm not sure if DNSSEC validation and related features are fully supported (in the political sense) and if misvalidations should be reported as security bugs. |
This is currently true, but we are going to be getting better here, so it's worth having a statement on it. I think the bigger question is on response time. I don't thin we are able to guarantee a rapid response to security issues in general, and DNSSEC is more complex than most other issues and could require longer turn around to fix. |
I think the only definite time frames should be acknowledgement and initial response time frames - which could be several days (Node, for instance, has a 5 day response time,) with a time frame to deliver a fix and coordinate disclosure with the researcher to be worked out on a case-by-case basis. Maybe something like this:
|
|
||
| Version | Supported | | ||
| -------- | --------------------------- | | ||
| 0.24.x | :white_check_mark: | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rather than explicitly stating versions, should we instead talk about "current version" and "previous versions"?
@bluejekyll feel free to take over this branch, I'm not sure I will have much time to work on it. |
Fixes #2159.