Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create SECURITY.md #1238

Merged
merged 4 commits into from
Aug 2, 2024
Merged

Create SECURITY.md #1238

merged 4 commits into from
Aug 2, 2024

Conversation

mymindstorm
Copy link
Member

No description provided.

@mymindstorm mymindstorm requested a review from Sneezry July 21, 2024 00:03
Sneezry
Sneezry reviewed Jul 27, 2024
View reviewed changes
SECURITY.md Outdated

## Supported Versions

We support any version published via our official distribution channels.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest that we only ensure that the Chrome and Firefox versions can be fixed as soon as possible, because Edge and Safari have relatively large API changes and may have technical limitations.

Copy link
Member Author

@mymindstorm mymindstorm Jul 27, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Before the big update a few years ago Edge was very different, but now it is almost the same as Chrome. I might just be forgetting, but what are the big differences in Edge? Given that we have 2M+ active users there, we should support it. For Safari I agree with you, unless @rebornix would like to add.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we move forward with not supporting safari, we should indicate it is a "community version" or similar in the README.

Sneezry
Sneezry reviewed Jul 27, 2024
View reviewed changes
SECURITY.md Outdated

Report potential vulnerabilities privately via [this form](https://github.com/Authenticator-Extension/Authenticator/security/advisories/new).
Where appropriate, include a proof-of-concept and reproduction steps.
We will provide an initial response within 5 days.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For a purely free open source project, there is a lot of pressure to respond to any security report within 5 days. In fact, for non-urgent issues or issues that we do not think must be fixed, we can delay the response. During the holidays, when it is not convenient to work, it is very likely that we will not be able to respond within 5 days.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"inital response" here means just acknowledging that we have received the issue. I can change it to "as soon as reasonably possible for the maintainers"?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do you think about "We will strive to provide an initial response within 5 days, though it is not guaranteed."

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That sounds appropriate to me.

@mymindstorm mymindstorm requested a review from Sneezry July 30, 2024 04:56
@mymindstorm mymindstorm merged commit fb8bc84 into dev Aug 2, 2024
8 checks passed
@mymindstorm mymindstorm deleted the mymindstorm/security-policy branch August 2, 2024 05:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Sneezry Sneezry Awaiting requested review from Sneezry

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mymindstorm @Sneezry