Security Edit

This page describes how to report security vulnerabilities, both external or internal. If you have any question, please reach us on #voxpupuli on Libera.

• Reporting security vulnerabilities
• Good practices regarding security

Reporting security vulnerabilities

If you want to report any security vulnerability, please contact Julien Pivotto. Julien’s GPG key can be downloaded here.

Julien’s GPG key fingerprint is 0C7F 1877 69D0 72B9 3B64 2BB9 E484 2505 33AE 92DA.

Here is a list of topics where the security officer can help you:

• Report security vulnerabilities in our projects
• Report security vulnerabilities in third party projects we use (Ruby Gems)
• Report security vulnerabilities in third party projects we are related to (projects we manage with our Puppet modules)
• Report abnormal commits in our repositories
• Report abnormal usage of the Github organisation
• Report compromised user accounts
• Any other security and Vox Pupuli related problem

Good practices regarding security

For our contributors, here are some good practices that we highly recommend.

1. Setup Github Two-Factor Authentication

   Github supports Two-Factor Authentication. Please use it to add more safety to your account.

2. GPG-Sign Tag commits

   Git allows you to gpg-sign commits. You should at least GPG-Sign the release commits, and register you GPG key inside Github.

3. Respect the Responsible disclosure model.

   Vox Pupuli is agile enough to address security vulnerabilities quickly. Still we encourage you to get in touch with the security officer that will help you to elaborate a good disclosure schedule and an appropriate answer.

4. Follow Vox Pupuli flows and practices

   Our practices are made with security in mind. Please avoid breaking away from them and try to follow our way of doing things. If you want to divert, please come to us and talk about your use case. Maybe the changes you want to make would be useful for everyone! A good example of this is modulesync.