Update SECURITY.md template and add it to Sampler repository (#456)

gaelcolas · Jan 7, 2024 · dc2c207 · dc2c207
1 parent 5215bc7
commit dc2c207
Show file tree

Hide file tree

Showing 7 changed files with 124 additions and 83 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,10 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- Update template for SECURITY.md and add it to Sampler repository as well.
+
 ### Fixed
 
 - Now the tasks work when using `Set-SamplerTaskVariable` with tasks that
   do not have the parameter `ChocolateyBuildOutput`.
+- Remove duplicate SECURITY.md template files, and fix templates to
+  point to the single version.
 - Correct description of the parameter `GalleryApiToken` in the build task
   script release.module.build.ps1. Fixes [#442](https://github.com/gaelcolas/Sampler/issues/442)
 

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,40 @@
+## Security
+
+We take the security of our modules seriously, which includes all source
+code repositories managed through our GitHub organization.
+
+If you believe you have found a security vulnerability in this repository,
+please report it to us as described below.
+
+## Reporting Security Issues
+
+The repository has enabled the ability to report a security vulnerability
+through GitHub new issue (separate button called "Report a vulnerability").
+See [Privately reporting a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability)
+for more information.
+
+> [!CAUTION]
+> Please do not report security vulnerabilities through a **public** GitHub issues
+> or other public forum.
+
+You should receive a response within 48 hours. If for some reason you do not,
+please follow up privately to one or several maintainers of the repository.
+The easiest way to do so is to send us a direct message via Twitter (X),
+Slack, Discord, or find us on some other social platform.
+
+Please include the requested information listed below (as much as you can
+provide) to help us better understand the nature and scope of the possible issue:
+
+* Type of issue
+* Full paths of source file(s) related to the manifestation of the issue
+* The location of the affected source code (tag/branch/commit or direct URL)
+* Any special configuration required to reproduce the issue
+* Step-by-step instructions to reproduce the issue
+* Proof-of-concept or exploit code (if possible)
+* Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+## Preferred Languages
+
+We prefer all communications to be in English.
diff --git a/Sampler/Templates/Build/SECURITY.dsccommunity.md b/Sampler/Templates/Build/SECURITY.dsccommunity.md
@@ -0,0 +1,44 @@
+## Security
+
+The DSC Community takes the security of our modules seriously, which
+includes all source code repositories managed through our GitHub organization.
+
+If you believe you have found a security vulnerability in any DSC Community
+owned repository, please report it to us as described below.
+
+## Reporting Security Issues
+
+If the repository has enabled the ability to report a security vulnerability
+through GitHub new issue (separate button called "Report a vulnerability")
+then use that. See [Privately reporting a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability)
+for more information.
+
+> [!CAUTION]
+> Please do not report security vulnerabilities through a **public** GitHub issues
+> or other public forum.
+
+If the repository does not have that option then please report the security
+issue privately to one or several maintainers of the repository, or several
+members of the DSC Community organization. The easiest way to do so is to
+send us a direct message via Twitter (X), Slack, Discord, or find us on some
+other social platform.
+
+You should receive a response within 48 hours. If for some reason you do not,
+please follow up to other member of the community.
+
+Please include the requested information listed below (as much as you can
+provide) to help us better understand the nature and scope of the possible issue:
+
+* Type of issue
+* Full paths of source file(s) related to the manifestation of the issue
+* The location of the affected source code (tag/branch/commit or direct URL)
+* Any special configuration required to reproduce the issue
+* Step-by-step instructions to reproduce the issue
+* Proof-of-concept or exploit code (if possible)
+* Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+## Preferred Languages
+
+We prefer all communications to be in English.
diff --git a/Sampler/Templates/Build/SECURITY.generic.md b/Sampler/Templates/Build/SECURITY.generic.md
@@ -1,28 +1,40 @@
 ## Security
 
-We take the security of our modules seriously, which includes all source code repositories managed through our GitHub organization.
+We take the security of our modules seriously, which includes all source
+code repositories managed through our GitHub organization.
 
-If you believe you have found a security vulnerability in any of our repository, please report it to us as described below.
+If you believe you have found a security vulnerability in any of our
+repository, please report it to us as described below.
 
 ## Reporting Security Issues
 
-**Please do not report security vulnerabilities through public GitHub issues.**
-
-Instead, please report them to one or several maintainers of the repository.
-The easiest way to do so is to send us a direct message via twitter or find us 
-on some other social platform.
-
-You should receive a response within 48 hours. If for some reason you do not, please follow up by other means or to other contributors.
-
-Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
-
-  * Type of issue
-  * Full paths of source file(s) related to the manifestation of the issue
-  * The location of the affected source code (tag/branch/commit or direct URL)
-  * Any special configuration required to reproduce the issue
-  * Step-by-step instructions to reproduce the issue
-  * Proof-of-concept or exploit code (if possible)
-  * Impact of the issue, including how an attacker might exploit the issue
+If the repository has enabled the ability to report a security vulnerability
+through GitHub new issue (separate button called "Report a vulnerability")
+then use that. See [Privately reporting a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability)
+for more information.
+
+> [!CAUTION]
+> Please do not report security vulnerabilities through a **public** GitHub issues
+> or other public forum.
+
+If the repository does not have that option then please
+report the security issue privately to one or several maintainers of the
+repository. The easiest way to do so is to send us a direct message via
+Twitter (X), Slack, Discord, or find us  on some other social platform.
+
+You should receive a response within 48 hours. If for some reason you do not,
+please follow up by other means or to other contributors.
+
+Please include the requested information listed below (as much as you can
+provide) to help us better understand the nature and scope of the possible issue:
+
+* Type of issue
+* Full paths of source file(s) related to the manifestation of the issue
+* The location of the affected source code (tag/branch/commit or direct URL)
+* Any special configuration required to reproduce the issue
+* Step-by-step instructions to reproduce the issue
+* Proof-of-concept or exploit code (if possible)
+* Impact of the issue, including how an attacker might exploit the issue
 
 This information will help us triage your report more quickly.
 

diff --git a/Sampler/Templates/Sampler/SECURITY.dsccommunity.md b/Sampler/Templates/Sampler/SECURITY.dsccommunity.md
diff --git a/Sampler/Templates/Sampler/SECURITY.generic.md b/Sampler/Templates/Sampler/SECURITY.generic.md
diff --git a/Sampler/Templates/Sampler/plasterManifest.xml b/Sampler/Templates/Sampler/plasterManifest.xml
@@ -626,13 +626,13 @@
     />
 
    <!-- SECURITY MD DSC COMMUNITY -->
-   <file source='SECURITY.dsccommunity.md'
+   <file source='../Build/SECURITY.dsccommunity.md'
           destination='${PLASTER_PARAM_ModuleName}/SECURITY.md'
           condition='${PLASTER_PARAM_ModuleType} -in @("dsccommunity")'
     />
 
-   <!-- SECURITY MD DSC GENERIC -->
-   <file source='SECURITY.generic.md'
+   <!-- SECURITY MD GENERIC -->
+   <file source='../Build/SECURITY.generic.md'
           destination='${PLASTER_PARAM_ModuleName}/SECURITY.md'
           condition='${PLASTER_PARAM_ModuleType} -in @("CompleteSample") -or ${PLASTER_PARAM_Features} -Contains ("All") -or ${PLASTER_PARAM_Features} -Contains ("git") -or ${PLASTER_PARAM_Features} -Contains ("github")'
     />