Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security advisories #87

Open
kroeckx opened this issue Jan 11, 2024 · 1 comment
Open

Security advisories #87

kroeckx opened this issue Jan 11, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@kroeckx
Copy link
Member

kroeckx commented Jan 11, 2024

I think we need to have a document describing what should all be covered in a security advisory. We've talked about this several times in the past, but I can't actually find an open issue for it.

Some of the things we should consider:

  • Should we document CVSS? In many cases, this gives the wrong answer for the users because it's a library. Maybe we should at least internally determine it. But a score if you use that part of the library can also be useful.
  • If we don't (publicly) document the CVSS, maybe we should at least document some of the values that go into it, like the complexity of the attack and the impact. This can be as text.
  • We should probably document how likely that we think you're affected, which is one of the things we use to determine the severity
  • It should cover internal use in the libraries and the apps.
@ghost
Copy link

ghost commented Feb 14, 2024

After F2F

@t8m t8m added the enhancement New feature or request label Feb 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
Project Board
Status: New
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kroeckx @t8m