diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2022-06-09 13:25:12 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-06-09 13:25:12 -0400 |
| commit | e5ef9fd5bc9ba959f134411e548e3820444f484c (patch) | |
| tree | eebbaa37c086af932e223cb6f113e2fbcfeaeb35 /vendor/github.com/seccomp/libseccomp-golang/SECURITY.md | |
| parent | fd1d0d67fbc1b7c26799370dc153009f9dde50bb (diff) | |
| parent | 7e9767502575f257776477ed0c01fe10ef42b465 (diff) | |
| download | podman-e5ef9fd5bc9ba959f134411e548e3820444f484c.tar.gz podman-e5ef9fd5bc9ba959f134411e548e3820444f484c.tar.bz2 podman-e5ef9fd5bc9ba959f134411e548e3820444f484c.zip | |
Merge pull request #14548 from containers/dependabot/go_modules/github.com/opencontainers/runc-1.1.3
Bump github.com/opencontainers/runc from 1.1.2 to 1.1.3
Diffstat (limited to 'vendor/github.com/seccomp/libseccomp-golang/SECURITY.md')
| -rw-r--r-- | vendor/github.com/seccomp/libseccomp-golang/SECURITY.md | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/vendor/github.com/seccomp/libseccomp-golang/SECURITY.md b/vendor/github.com/seccomp/libseccomp-golang/SECURITY.md new file mode 100644 index 000000000..c448faa8e --- /dev/null +++ b/vendor/github.com/seccomp/libseccomp-golang/SECURITY.md @@ -0,0 +1,47 @@ +The libseccomp-golang Security Vulnerability Handling Process +=============================================================================== +https://github.com/seccomp/libseccomp-golang + +This document document attempts to describe the processes through which +sensitive security relevant bugs can be responsibly disclosed to the +libseccomp-golang project and how the project maintainers should handle these +reports. Just like the other libseccomp-golang process documents, this +document should be treated as a guiding document and not a hard, unyielding set +of regulations; the bug reporters and project maintainers are encouraged to +work together to address the issues as best they can, in a manner which works +best for all parties involved. + +### Reporting Problems + +Problems with the libseccomp-golang library that are not suitable for immediate +public disclosure should be emailed to the current libseccomp-golang +maintainers, the list is below. We typically request at most a 90 day time +period to address the issue before it is made public, but we will make every +effort to address the issue as quickly as possible and shorten the disclosure +window. + +* Paul Moore, paul@paul-moore.com +* Tom Hromatka, tom.hromatka@oracle.com + +### Resolving Sensitive Security Issues + +Upon disclosure of a bug, the maintainers should work together to investigate +the problem and decide on a solution. In order to prevent an early disclosure +of the problem, those working on the solution should do so privately and +outside of the traditional libseccomp-golang development practices. One +possible solution to this is to leverage the GitHub "Security" functionality to +create a private development fork that can be shared among the maintainers, and +optionally the reporter. A placeholder GitHub issue may be created, but +details should remain extremely limited until such time as the problem has been +fixed and responsibly disclosed. If a CVE, or other tag, has been assigned to +the problem, the GitHub issue title should include the vulnerability tag once +the problem has been disclosed. + +### Public Disclosure + +Whenever possible, responsible reporting and patching practices should be +followed, including notification to the linux-distros and oss-security mailing +lists. + +* https://oss-security.openwall.org/wiki/mailing-lists/distros +* https://oss-security.openwall.org/wiki/mailing-lists/oss-security |