Skip to content

Commit b6f08c8

Browse files
authored
admin: Update security instructions to emphasize reporting via GitHub (#2112)
docs: Update security instructions to emphasize reporting via GitHub The security@openshadinglanguage.org is still fine, but we prefer that true vulnerability reports come via the GitHub security advisory mechanism. (That makes it easy for us to turn them into CVEs when needed, among other administrative niceties.) Signed-off-by: Larry Gritz <lg@larrygritz.com>
1 parent c3be3c6 commit b6f08c8

2 files changed

Lines changed: 19 additions & 16 deletions

File tree

README.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -504,14 +504,14 @@ your question quickly (more so than a GH "issue"). For quick questions, you
504504
could also try the [ASWF Slack](https://slack.aswf.io) `#openshadinglanguage`
505505
channel.
506506

507-
Bugs, build problems, and discovered vulnerabilities that you are relatively
508-
certain is a legit problem in the code, and for which you can give clear
509-
instructions for how to reproduce, should be [reported as
507+
A bug or build problem that you are relatively certain is a legit problem in
508+
the code, and **for which you can give clear instructions for how to
509+
reproduce**, should be [reported as
510510
issues](https://github.com/AcademySoftwareFoundation/OpenShadingLanguage/issues).
511511

512-
If you think you've found a potential vulnerability in OSL, please
513-
confidentially report it by emailing the project administrators at
514-
[security@openshadinglanguage.org](security@openshadinglanguage.org).
512+
To report a security vulnerability that is serious enough that it should not
513+
be discussed publicly until a patch is ready, please file a GitHub [security
514+
advisory](https://github.com/AcademySoftwareFoundation/OpenShadingLanguage/security/advisories/new).
515515

516516
If any other issue requires confidentiality that precludes a public question
517517
or issue, you may contact the project administrator privately at

SECURITY.md

Lines changed: 13 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -15,16 +15,19 @@ security vulnerabilities.
1515

1616
## Reporting a Vulnerability
1717

18-
If you think you've found a potential vulnerability in OSL, please report it
19-
by emailing the project administrators at
20-
[security@openshadinglanguage.org](security@openshadinglanguage.org). Only the
21-
project administrators have access to these messages. Include detailed steps to
22-
reproduce the issue, and any other information that could aid an
23-
investigation. Our policy is to respond to vulnerability reports within 14
24-
days.
25-
26-
Our policy is to address critical security vulnerabilities rapidly and post
27-
patches as quickly as possible.
18+
If you think you've found a potential vulnerability in OSL, please
19+
report it to the maintainers. Include detailed steps to reproduce the issue,
20+
and any other information that could aid an investigation.
21+
22+
The best way to report a vulnerability is to file a GitHub [security
23+
advisory](https://github.com/AcademySoftwareFoundation/OpenShadingLanguage/security/advisories/new).
24+
If that is not possible, it is also fine to email your report to
25+
security@openshadinglanguage.org. Only the project administrators have access
26+
to these reports.
27+
28+
Our policy is to respond to vulnerability reports within 14 days, and to
29+
address critical security vulnerabilities rapidly and post patches as quickly
30+
as possible.
2831

2932

3033
## Other security features

0 commit comments

Comments
 (0)