This repository has been archived by the owner on Nov 10, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Move vuln disclosure RFC to PROPOSED
- Final tweaks and typo corrections - Move vuln disclosure RFC directory to root of RFC directory (we have done away with the "concepts" etc. directories)
- Loading branch information
Showing
1 changed file
with
15 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,10 +1,10 @@ | ||
| # RFC00004: Vulnerability Disclosure and Embargo Policy | ||
| # 00002: Vulnerability Disclosure and Embargo Policy | ||
| - Authors: [axel simon]([email protected]) | ||
| - Status: [PROPOSED](/README.md#proposed) | ||
| - Since: 2020-03-10 | ||
| - Status Note: under discussion | ||
| - Status Note: ready to be trialed | ||
| - Supersedes: N/A | ||
| - Start Date: 2020-03-03 (date you started working on this idea) | ||
| - Start Date: 2020-03-03 | ||
| - Tags: security, infrastructure | ||
|
|
||
| ## Summary | ||
|
|
@@ -42,7 +42,7 @@ In other words: | |
| ## Tutorial | ||
|
|
||
| This RFC aims to provide a set of documents (ex. wiki pages) that describe the | ||
| Enarx vulnerability disclosure policy - including the use of embargos - and | ||
| Enarx vulnerability disclosure policy - including the use of embargoes - and | ||
| the list of security advisories and fixes. | ||
|
|
||
| The two pages are "Vulnerability Reporting and Embargo Policy" and "Enarx | ||
|
|
@@ -238,14 +238,15 @@ We could offer further official channels for secure communication and | |
| disclosure. | ||
|
|
||
| Some ideas are: | ||
| - Github: work with Github on security issues reporting (WIP) | ||
| - Use RocketChat, our current [chat platform](https://chat.enarx.dev) RocketChat's capacity for with end-to-end | ||
| encryptted conversations. | ||
| - [Keybase](https://keybase.io/encrypt) messaging | ||
| - [Signal](https://signal.org): raises question which account (ie: phone number) | ||
| - A OMEMO or OTR enabled Jabber / XMPP account (OMEMO offering the advantage | ||
| of allowing to establish a secure channel without both participants being | ||
| online) | ||
| - Github: work with Github on security issues reporting (WIP). | ||
| - Use RocketChat, our current [chat platform](https://chat.enarx.dev), in | ||
| particular its capacity for end-to-end encrypted conversations. | ||
| - [Keybase](https://keybase.io/encrypt) messaging. | ||
| - [Signal](https://signal.org): raises question which account (ie: currently, | ||
| an associated phone number). | ||
| - A [OMEMO](https://conversations.im/omemo/) or OTR enabled Jabber / XMPP | ||
| account (OMEMO offering the advantage of allowing to establish a secure | ||
| channel without both participants being online). | ||
| - [Secure Drop](https://securedrop.org/) (initially designed for as a way to | ||
| share and accept documents securely for news organisations, likely overkill) | ||
| - A simpler drop box over HTTPS | ||
| share and accept documents securely for news organisations, likely overkill). | ||
| - A simpler drop box over HTTPS. | ||