1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-07-10 04:43:53 +02:00

maintainers: add checklist for security releases

Co-Authored-By: Robert Hensing <robert@roberthensing.nl
Co-authored-by: Dan Baker <daniel.n.baker@gmail.com>
This commit is contained in:
Valentin Gagarin 2024-09-02 15:02:55 +02:00
parent 0f59c2102e
commit 9bb153acb2
3 changed files with 86 additions and 2 deletions

View file

@ -0,0 +1,31 @@
# Handling security reports
Reports can be expected to be submitted following the [security policy](https://github.com/NixOS/nix/security/policy), but may reach maintainers on various other channels.
In case a vulnerability is reported:
1. [Create a GitHub security advisory](https://github.com/NixOS/nix/security/advisories/new)
> [!IMPORTANT]
> Add the reporter as a collaborator so they get notified of all activities.
In addition to the details in the advisory template, the initial report should:
- Include sufficient details of the vulnerability to allow it to be understood and reproduced.
- Redact any personal data.
- Set a deadline (if applicable).
- Provide proof of concept code (if available).
- Reference any further reading material that may be appropriate.
1. Establish a private communication channel (e.g. a Matrix room) with the reporter and all Nix maintainers.
1. Communicate with the reporter which team members are assigned and when they are available.
1. Consider which immediate preliminary measures should be taken before working on a fix.
1. Prioritize fixing the security issue over ongoing work.
1. Keep everyone involved up to date on progress and the estimated timeline for releasing the fix.
> See also the instructions for [security releases](./release-process.md#security-releases).