Reporting flow for security issues

[Paul Spooren]

Hi Ansuel et al,

Thanks for the quick responses.

> 
> Hi Paul the problem of using Github directly is for repositories like
> the packages one where non-core members
> have also write access.

I think we can sub groups and delegate individual maintainers to CVEs. This brings the benefit of them being able to test it and directly ask the reporters for clarifications if needed.

> Hanlign security report and CVE might be hard
> and not everyone knows the correct
> procedure with reproduce it -> align with a fix -> sync with the
> reporter and give correct credit.

That’s exactly what made me start this email thread. There was a security report, I informed the repository maintainers, a maintainer fixed it without further discussion nor mentioning the reporter. While I appreciate the timely fix, ideally there is a bit of structure, what those advisories could introduce. Me playing ping pong between maintainers and reporters isn’t ideal.

> 
> Maybe we can tweak some permission and check if the security tab can
> be limited to core member that
> have access to the core repository.

Specifically we can add security guidelines to each repository, allowing users to report issues. Reaching out via email should be secondary option if GitHub itself doesn’t work.
> 
> I also think that we should create a wiki page with a step-by-step
> guide on how to handle security report
> with the usage of github CVE system.

I see that as an option, another way could be to use SECURITY.md in repositories to have a living document.

Best,
Paul