Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • srctweb srctweb
  • Project information
    • Project information
    • Activity
    • Labels
    • Planning hierarchy
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 10
    • Issues 10
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 0
    • Merge requests 0
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • SRCT
  • srctwebsrctweb
  • Issues
  • #21

Closed
Open
Created Dec 18, 2016 by David Haynes@dhaynes3🙆Owner

Create responsible disclosure page (srct.gmu.edu/documents/responsible_disclosure)

Summary

https://srct.gmu.edu/documents/responsible_disclosure/

An idea to list out some guidelines for if a security issue is found in a SRCT project and the steps that should be taken by the reporter to responsibly disclose them to us.

Helpful Links

  • https://www.hackerone.com/disclosure-guidelines

Idea: a responsible disclosure page for security vulns

[7:41]
I'm not sure who would want to break our sites

[7:41]
but I think it'd be cool to have

Zach Knox [7:57 PM]
Would probably want @nander13 or @patriot_down to write the basic points up for how we should go about this

[7:58]
Then we can make it nice language on a page on the site

Michael Bailey [8:41 PM]
First step is to have a valid abuse/security email (edited)

[8:41]
abuse@srct.gmu.edu or something?

[8:42]
Then just have them privately disclose via like any medium (Google Form with strict perms?) then publicly get recognized (wall of fame)

[8:42]
Specify it's for kudos not pay bc we're poor

[8:42]
Or if we.'re feeling SUPER extra swag but I don't think we're able to do that

David Haynes [8:42 PM]
yeah def kudos

[8:43]
I guess a form is fine so we get specific info

Nander [8:43 PM]
I have a bunch of addresses set up to forward to srct@gmu.edu already

[8:44]
Things like postmaster, webmaster, I think even abuse already

Zach Knox [8:44 PM]
https://srct.slack.com/archives/srctweb/p1482111753000057 We could pay them in SRCT stickers Michael Bailey Specify it's for kudos not pay bc we're poor Posted in #srctwebToday at 8:42 PM

David Haynes [8:45 PM]
we'd need special stickers

[8:45]
some type of slight modification to the sticker design to look way cooler

[8:46]
only handed out to special folks

[8:46]
(like me)

Zach Knox [8:46 PM]
So like the LGBT stickers?

David Haynes [8:52 PM]
in a sense yeah that's what I'm thinking

Daniel Bond [8:59 PM]
isn't that supported with gitlab though?

[8:59]
I thought you could create private issues

Zach Knox [8:59 PM]
Not everyone is a student

David Haynes [9:00 PM]
It's not obvious to go to gitlab, find our project, open an issue, and hit the "confidential" checkbox

[9:01]
you can put that into words somewhere

[9:01]
like on our webpage

new messages Daniel Bond [9:03 PM]
very true

[9:03]
reporting vulnerabilities should have a page

[9:03]
and the docs/ part should have a disclosure portion

Edited Aug 06, 2017 by David Haynes
Assignee
Assign to
Time tracking