This page describes how to report security vulnerabilities, both external or internal. If you have any question, please reach us on #voxpupuli on Freenode.
Julien’s GPG key fingerprint is
0C7F 1877 69D0 72B9 3B64 2BB9 E484 2505 33AE 92DA.
Here is a list of topics where the security officer can help you:
For our contributors, here are some good practices that we highly recommend.
Setup Github Two-Factor Authentication
Github supports Two-Factor Authentication. Please use it to add more safety to your account.
GPG-Sign Tag commits
Git allows you to gpg-sign commits. You should at least GPG-Sign the release commits, and register you GPG key inside Github.
Respect the Responsible disclosure model.
Vox Pupuli is agile enough to address security vulnerabilities quickly. Still we encourage you to get in touch with the security officer that will help you to elaborate a good disclosure schedule and an appropriate answer.
Link to this page from the README.
README files of Vox Pupuli projects should have a link to this page, by making it clear that it is the way to go to report security vulnerabilities that need some privacy.
Follow Vox Pupuli flows and practices
Our practices are made with security in mind. Please avoid breaking away from them and try to follow our way of doing things. If you want to divert, please come to us and talk about your use case. Maybe the changes you want to make would be useful for everyone! A good example of this is modulesync.