- Reporting security problems to PRTriage
- Security Point of Contact
- Incident Response Process
- Vulnerability Management Plan
CREATE AN ISSUE to report a security problems.
The security point of contact is Sam Yamashita. Sam responds to security incident reports as fast as possible, within one business day at the latest.
If Sam does not respond then please contact [email protected] who can disable any access for the PRTriage app until the security incident is resolved.
In case an incident is discovered or reported, I will follow the following process to contain, respond and remediate:
The first step is to find out the root cause, nature and scope of the incident.
- Is still ongoing? If yes, first priority is to stop it.
- Is the incident outside of my influence? If yes, first priority is to contain it.
- Find out knows about the incident and who is affected.
- Find out what data was potentially exposed.
One way to immediately remove all access for the PRTriage app is to remove the private key from the PRTriage App Settings page. The access can be recovered later by generating a new private key and re-deploy the app.
After the initial assessment and containment to my best abilities, I will document all actions taken in a response plan.
Once the incident is confirmed to be resolved, I will summarize the lessons learned from the incident and create a list of actions I will take to prevent it from happening again.
The PRTriage App uses the least amount of access to limit the impact of possible security incidents, see Information collection and use.
If someone would get access to the PRTriage app, the worst thing they could do is to read out contents from pull requests, limited to repositories the PRTriage got installed on.
The PRTriage GitHub Organization requires 2FA authorization for all members.
We learn about critical software updates and security threats from these sources
- GitHub Security Alerts
- GitHub: https://status.github.com/ & @githubstatus
- Dependabot (Dependency management for general): https://dependabot.com/ & @dependabot
- Snyk (Dependency management for security): https://snyk.statuspage.io/ & @snyksec
- Travis (Continuous Integration): https://www.traviscistatus.com/ & @traviscistatus
- Heroku (Hosting): https://status.heroku.com/ & @herokustatus