SPEC 11 --- Vulnerability Disclosure

We are doing some work at the summit on security best practices and vulnerability disclosure came up. So we’ll add it as SPEC 11. Here’s the scope for the spec:

  • Securicy policy (What should include and template)
    • Prominently document how to report vulnerabilities
    • Contact information
  • Enable private vulnerability reporting via API (GitHub Security Advisories for GitHub, Confidential Issues for GitLab)
  • What to do when you get a vulnerability report?
    • Use resources like the Guide to coordinated vulnerability disclosure.
    • Explicitly disclose security issues affecting vendored dependencies.
    1. acknowledge
    2. request cve
    3. share cve
    4. release (add cve number in the release notes)

This is the draft: SPEC-11 - HackMD
This is the issue: Vulnerability Disclosure · Issue #322 · scientific-python/specs · GitHub