From 28a52d3540fcf2304a63f6b83dfdd293452f9a0a Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Tue, 23 Jan 2024 16:29:34 -0500 Subject: [PATCH] add security.rst to docs, unblock some URLs --- .github/workflows/main.yml | 2 ++ SECURITY.md | 2 ++ docs/index.rst | 1 + docs/security.rst | 46 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 51 insertions(+) create mode 100644 docs/security.rst diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d03342841..5be0702c5 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -84,6 +84,8 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: > + api.github.com:443 + dap.service.does.not.exist:443 files.pythonhosted.org:443 github.com:443 pypi.org:443 diff --git a/SECURITY.md b/SECURITY.md index e1ee3cfb7..19c730c2d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,5 +1,7 @@ # Security Policy +[//]: # (ATTENTION: This is the Markdown version of docs/security.rst. Any changes should also be made in the ReStructuredText version.) + ## Supported Versions `xclim` is in rapid development and receives regular updates every four to six (4-6) weeks. In the event of a security-related bug discovery soon after the release of an `xclim` version, the last supported version will receive a patch release. diff --git a/docs/index.rst b/docs/index.rst index ed72572bd..4e7d551d1 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -41,6 +41,7 @@ Leveraging xarray and dask, users can easily bias-adjust climate simulations ove authors changes + security references .. toctree:: diff --git a/docs/security.rst b/docs/security.rst new file mode 100644 index 000000000..e8511e81e --- /dev/null +++ b/docs/security.rst @@ -0,0 +1,46 @@ +=============== +Security Policy +=============== + +.. + This is the ReStructuredText version of SECURITY.md. Any changes should also be made in the Markdown version. + +Supported Versions +================== + +`xclim` is in rapid development and receives regular updates every four to six (4-6) weeks. In the event of a security-related bug discovery soon after the release of an `xclim` version, the last supported version will receive a patch release. + +Reporting a Vulnerability +========================= + +If you believe you have found a security vulnerability in `xclim`, we encourage you to let us know right away. We take all security vulnerabilities seriously and appreciate your efforts to responsibly disclose them. + +Please follow these steps to report a security vulnerability: + +#. **Email**: Email `github-support@ouranos.ca `_ with a detailed description of the vulnerability. If applicable, please include any steps or a proof-of-concept to help us understand and reproduce the issue. + +#. **Encryption (Optional)**: If you are concerned about the sensitivity of the information you are sharing, you can use the PGP key found below to encrypt your communication. + +#. **Response**: We will acknowledge your email within 48 hours and work with you to understand and confirm the vulnerability. + +#. **Fix and Disclosure**: Once the vulnerability is confirmed, we will work to address it promptly. We appreciate your patience as we investigate and implement a fix. Once resolved, we will coordinate the disclosure and provide credit to the reporter unless they prefer to remain anonymous. + +PGP Encryption Key +================== + +You can use the following PGP key to encrypt your communications with us:: + + -----BEGIN PGP PUBLIC KEY BLOCK----- + + mDMEZamQrhYJKwYBBAHaRw8BAQdA+saPvmvr1MYe1nQy3n3QDcRE9T7UzTJ1XH31 + EI4Zb6u0Mk91cmFub3MgR2l0SHViIFN1cHBvcnQgPGdpdGh1Yi1zdXBwb3J0QG91 + cmFub3MuY2E+iJkEExYKAEEWIQSeAu+Cbjupx79jy9VeVFD6o5TVcwUCZamQrgIb + AwUJCWYBgAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRBeVFD6o5TVc4ho + AQDXjDkx0b3A7yl6PQ4hBJ2uYzw0UWbml7mUwVdhMmdZkQD/VJZQNWrCQeOtYEM8 + icZJYwR/OsKFOWqlDytusGGtjwa4OARlqZCuEgorBgEEAZdVAQUBAQdAa41Zabjz + P9O+p6tI69Cnft6U5om3+qCcMo8amTqauH0DAQgHiH4EGBYKACYWIQSeAu+Cbjup + x79jy9VeVFD6o5TVcwUCZamQrgIbDAUJCWYBgAAKCRBeVFD6o5TVcwmaAQClDxW6 + 2gir7lhRXAcO+vmRImpGd29TrkcQVh+ak7VlwQEA706d7Kusiorlf/h8pLSoNMmS + kuLGmHpUJ8NVGppU+wo= + =wuxr + -----END PGP PUBLIC KEY BLOCK-----