Skip to content

GitLab

srctweb
srctweb
Closed
Opened by David Haynes@dhaynes3🙆Owner

Create responsible disclosure page (srct.gmu.edu/documents/responsible_disclosure)

Summary

https://srct.gmu.edu/documents/responsible_disclosure/

An idea to list out some guidelines for if a security issue is found in a SRCT project and the steps that should be taken by the reporter to responsibly disclose them to us.

Helpful Links

Idea: a responsible disclosure page for security vulns

[7:41]
I'm not sure who would want to break our sites

[7:41]
but I think it'd be cool to have

Zach Knox [7:57 PM]
Would probably want @nander13 or @patriot_down to write the basic points up for how we should go about this

[7:58]
Then we can make it nice language on a page on the site

Michael Bailey [8:41 PM]
First step is to have a valid abuse/security email (edited)

[8:41]
abuse@srct.gmu.edu or something?

[8:42]
Then just have them privately disclose via like any medium (Google Form with strict perms?) then publicly get recognized (wall of fame)

[8:42]
Specify it's for kudos not pay bc we're poor

[8:42]
Or if we.'re feeling SUPER extra swag but I don't think we're able to do that

David Haynes [8:42 PM]
yeah def kudos

[8:43]
I guess a form is fine so we get specific info

Nander [8:43 PM]
I have a bunch of addresses set up to forward to srct@gmu.edu already

[8:44]
Things like postmaster, webmaster, I think even abuse already

Zach Knox [8:44 PM]
https://srct.slack.com/archives/srctweb/p1482111753000057 We could pay them in SRCT stickers Michael Bailey Specify it's for kudos not pay bc we're poor Posted in #srctwebToday at 8:42 PM

David Haynes [8:45 PM]
we'd need special stickers

[8:45]
some type of slight modification to the sticker design to look way cooler

[8:46]
only handed out to special folks

[8:46]
(like me)

Zach Knox [8:46 PM]
So like the LGBT stickers?

David Haynes [8:52 PM]
in a sense yeah that's what I'm thinking

Daniel Bond [8:59 PM]
isn't that supported with gitlab though?

[8:59]
I thought you could create private issues

Zach Knox [8:59 PM]
Not everyone is a student

David Haynes [9:00 PM]
It's not obvious to go to gitlab, find our project, open an issue, and hit the "confidential" checkbox

[9:01]
you can put that into words somewhere

[9:01]
like on our webpage

new messages Daniel Bond [9:03 PM]
very true

[9:03]
reporting vulnerabilities should have a page

[9:03]
and the docs/ part should have a disclosure portion

Edited by David Haynes