Create responsible disclosure page (srct.gmu.edu/documents/responsible_disclosure)
Summary
https://srct.gmu.edu/documents/responsible_disclosure/
An idea to list out some guidelines for if a security issue is found in a SRCT project and the steps that should be taken by the reporter to responsibly disclose them to us.
Helpful Links
Idea: a responsible disclosure page for security vulns
[7:41]
I'm not sure who would want to break our sites[7:41]
but I think it'd be cool to haveZach Knox [7:57 PM]
Would probably want @nander13 or @patriot_down to write the basic points up for how we should go about this[7:58]
Then we can make it nice language on a page on the siteMichael Bailey [8:41 PM]
First step is to have a valid abuse/security email (edited)[8:41]
abuse@srct.gmu.edu or something?[8:42]
Then just have them privately disclose via like any medium (Google Form with strict perms?) then publicly get recognized (wall of fame)[8:42]
Specify it's for kudos not pay bc we're poor[8:42]
Or if we.'re feeling SUPER extra swag but I don't think we're able to do thatDavid Haynes [8:42 PM]
yeah def kudos[8:43]
I guess a form is fine so we get specific infoNander [8:43 PM]
I have a bunch of addresses set up to forward to srct@gmu.edu already[8:44]
Things like postmaster, webmaster, I think even abuse alreadyZach Knox [8:44 PM]
https://srct.slack.com/archives/srctweb/p1482111753000057 We could pay them in SRCT stickers Michael Bailey Specify it's for kudos not pay bc we're poor Posted in #srctwebToday at 8:42 PMDavid Haynes [8:45 PM]
we'd need special stickers[8:45]
some type of slight modification to the sticker design to look way cooler[8:46]
only handed out to special folks[8:46]
(like me)Zach Knox [8:46 PM]
So like the LGBT stickers?David Haynes [8:52 PM]
in a sense yeah that's what I'm thinkingDaniel Bond [8:59 PM]
isn't that supported with gitlab though?[8:59]
I thought you could create private issuesZach Knox [8:59 PM]
Not everyone is a studentDavid Haynes [9:00 PM]
It's not obvious to go to gitlab, find our project, open an issue, and hit the "confidential" checkbox[9:01]
you can put that into words somewhere[9:01]
like on our webpagenew messages Daniel Bond [9:03 PM]
very true[9:03]
reporting vulnerabilities should have a page[9:03]
and the docs/ part should have a disclosure portion