Create responsible disclosure page (srct.gmu.edu/documents/responsible_disclosure) (#21) · Issues · SRCT / srctweb

Create responsible disclosure page (srct.gmu.edu/documents/responsible_disclosure)

Summary

https://srct.gmu.edu/documents/responsible_disclosure/

An idea to list out some guidelines for if a security issue is found in a SRCT project and the steps that should be taken by the reporter to responsibly disclose them to us.

Helpful Links

https://www.hackerone.com/disclosure-guidelines

Idea: a responsible disclosure page for security vulns

[7:41]
I'm not sure who would want to break our sites

[7:41]
but I think it'd be cool to have

Zach Knox [7:57 PM]
Would probably want @nander13 or @patriot_down to write the basic points up for how we should go about this

[7:58]
Then we can make it nice language on a page on the site

Michael Bailey [8:41 PM]
First step is to have a valid abuse/security email (edited)

[8:41]
abuse@srct.gmu.edu or something?

[8:42]
Then just have them privately disclose via like any medium (Google Form with strict perms?) then publicly get recognized (wall of fame)

[8:42]
Specify it's for kudos not pay bc we're poor

[8:42]
Or if we.'re feeling SUPER extra swag but I don't think we're able to do that

David Haynes [8:42 PM]
yeah def kudos

[8:43]
I guess a form is fine so we get specific info

Nander [8:43 PM]
I have a bunch of addresses set up to forward to srct@gmu.edu already

[8:44]
Things like postmaster, webmaster, I think even abuse already

Zach Knox [8:44 PM]
https://srct.slack.com/archives/srctweb/p1482111753000057 We could pay them in SRCT stickers Michael Bailey Specify it's for kudos not pay bc we're poor Posted in #srctwebToday at 8:42 PM

David Haynes [8:45 PM]
we'd need special stickers

[8:45]
some type of slight modification to the sticker design to look way cooler

[8:46]
only handed out to special folks

[8:46]
(like me)

Zach Knox [8:46 PM]
So like the LGBT stickers?

David Haynes [8:52 PM]
in a sense yeah that's what I'm thinking

Daniel Bond [8:59 PM]
isn't that supported with gitlab though?

[8:59]
I thought you could create private issues

Zach Knox [8:59 PM]
Not everyone is a student

David Haynes [9:00 PM]
It's not obvious to go to gitlab, find our project, open an issue, and hit the "confidential" checkbox

[9:01]
you can put that into words somewhere

[9:01]
like on our webpage

new messages Daniel Bond [9:03 PM]
very true

[9:03]
reporting vulnerabilities should have a page

[9:03]
and the docs/ part should have a disclosure portion

## Summary

[https://srct.gmu.edu/documents/responsible_disclosure/]()

An idea to list out some guidelines for if a security issue is found in a SRCT project and the steps that should be taken by the reporter to responsibly disclose them to us.

## Helpful Links

- https://www.hackerone.com/disclosure-guidelines

>>>
Idea: a responsible disclosure page for security vulns

[7:41]  
I'm not sure who would want to break our sites

[7:41]  
but I think it'd be cool to have

Zach Knox [7:57 PM]  
Would probably want @nander13 or @patriot_down to write the basic points up for how we should go about this

[7:58]  
Then we can make it nice language on a page on the site

Michael Bailey [8:41 PM]  
First step is to have a valid abuse/security email (edited)

[8:41]  
abuse@srct.gmu.edu or something?

[8:42]  
Then just have them privately disclose via like any medium (Google Form with strict perms?) then publicly get recognized (wall of fame)

[8:42]  
Specify it's for kudos not pay bc we're poor

[8:42]  
Or if we.'re feeling SUPER extra swag but I don't think we're able to do that

David Haynes [8:42 PM]  
yeah def kudos

[8:43]  
I guess a form is fine so we get specific info

Nander [8:43 PM]  
I have a bunch of addresses set up to forward to srct@gmu.edu already

[8:44]  
Things like postmaster, webmaster, I think even abuse already

Zach Knox [8:44 PM]  
https://srct.slack.com/archives/srctweb/p1482111753000057
We could pay them in SRCT stickers
 Michael Bailey
Specify it's for kudos not pay bc we're poor
Posted in #srctwebToday at 8:42 PM

David Haynes [8:45 PM]  
we'd need special stickers

[8:45]  
some type of slight modification to the sticker design to look way cooler

[8:46]  
only handed out to special folks

[8:46]  
(like me)

Zach Knox [8:46 PM]  
So like the LGBT stickers?

David Haynes [8:52 PM]  
in a sense yeah that's what I'm thinking

Daniel Bond [8:59 PM]  
isn't that supported with gitlab though?

[8:59]  
I thought you could create private issues

Zach Knox [8:59 PM]  
Not everyone is a student

David Haynes [9:00 PM]  
It's not obvious to go to gitlab, find our project, open an issue, and hit the "confidential" checkbox

[9:01]  
you can put that into words somewhere

[9:01]  
like on our webpage

new messages
Daniel Bond [9:03 PM]  
very true

[9:03]  
reporting vulnerabilities should have a page

[9:03]  
and the docs/ part should have a disclosure portion
>>>

Edited Aug 06, 2017 by David Haynes

Create responsible disclosure page (srct.gmu.edu/documents/responsible_disclosure)

Summary

Helpful Links

Linked issues