|
|
## IEEE Open Source Maintainers Manual
|
|
|
|
|
|
**Contents**
|
|
|
|
|
|
[TOC]
|
|
|
|
|
|
Copyright 2020, Maintainers Manual Authors
|
|
|
This manual is licensed to you under the Apache License, Version 2.0 (the "License").
|
|
|
|
... | ... | @@ -505,7 +509,7 @@ Security issues will be tracked using the CVE (Common Vulnerabilities and Exposu |
|
|
|
|
|
All projects on the Platform shall have a SECURITY.md file in the root directory of their project's repository explaining their security policy. Following is a sample (default) SECURITY.md file.
|
|
|
|
|
|
TEMPLATE: SECURITY.md
|
|
|
TEMPLATE: [SECURITY.md](SECURITY.md)
|
|
|
|
|
|
You may choose to adapt this standard template or to construct your own security process documentation. In all cases, your documentation should be in line with the following process.
|
|
|
|
... | ... | @@ -519,7 +523,7 @@ Please report security vulnerabilities by filling out the following template: |
|
|
|
|
|
* DESCRIPTION: Please provide precise description of the security vulnerability you have found with as much information as you can provide.
|
|
|
|
|
|
Please send the above information, together with any other information or evidence you feel is pertinent to: [opensource-security@ieee.org](mailto:opensource-security@ieee.org)
|
|
|
Please send the above information, together with any other information or evidence you feel is pertinent to: [saopen-security@ieee.org](mailto:saopen-security@ieee.org)
|
|
|
|
|
|
We ask that you keep the report confidential until we have made a public announcement.
|
|
|
|
... | ... | @@ -530,7 +534,7 @@ The Community Manager will let you know within two business weeks whether action |
|
|
|
|
|
### 9.3 Reporting and repairing critical vulnerability and exposures
|
|
|
|
|
|
Security vulnerabilities and concerns should be reported immediately by anyone associated with the Platform. Send your report to opensource-security@ieee.org. Security reports are confidential.
|
|
|
Security vulnerabilities and concerns should be reported immediately by anyone associated with the Platform. Send your report to [saopen-security@ieee.org](mailto:saopen-security@ieee.org). Security reports are confidential.
|
|
|
|
|
|
The Community Manager will contact the security contact listed by the Official IEEE Open Source Project and review the security vulnerability to determine if it is accepted or rejected. The Community Manager will notify the reporter if action is being taken based on the report. If a report is accepted the following protocol shall be followed:
|
|
|
|
... | ... | |