continuwuation/continuwuity
9
19
Fork 12
Code Issues 84 Pull requests 10 Projects Releases 17 Packages 1 Activity Actions

docs: Security policy #838

Merged
Jade merged 2 commits from jade/security-policy into main 2025-05-26 16:02:10 +00:00
Conversation 2 Commits 2 Files changed 3 +65
Jade commented 2025-05-24 23:36:54 +00:00
Owner
Copy link
No description provided.
Jade added 1 commit 2025-05-24 23:36:54 +00:00
docs: Security policy
Some checks failed
Rust Checks / Format (push) Successful in 1m22s
Details
Rust Checks / Clippy (push) Successful in 4m54s
Details
Rust Checks / Cargo Test (push) Failing after 4m46s
Details
Documentation / Build and Deploy Documentation (pull_request) Successful in 1m27s
Details
0ba77674c7
Jade 2025-05-24 23:36:59 +00:00
nex requested changes 2025-05-25 01:33:53 +00:00
nex left a comment
Owner
Copy link

mostly looks good, some requests/notes regarding clarity

mostly looks good, some requests/notes regarding clarity
SECURITY.md
@ -0,0 +8,4 @@
| Version | Supported |
| -------------- |:----------------:|
| Latest release | ✅ |
nex commented 2025-05-25 01:30:10 +00:00
Owner
Copy link

We should have a grace period for new releases where we still support the previous release, to give people time to migrate over and whatnot. If this is implicit, it is not clear

We should have a grace period for new releases where we still support the previous release, to give people time to migrate over and whatnot. If this is implicit, it is not clear
Jade commented 2025-05-25 21:31:27 +00:00
Author
Owner
Copy link

Do we have the resources to backport to N versons, and is there a reason why people wouldn't upgrade?

Do we have the resources to backport to N versons, and is there a reason why people wouldn't upgrade?
nex commented 2025-05-25 23:30:30 +00:00
Owner
Copy link

Issuing patches for security vulns isn't usually too big of a task. Sometimes people don't upgrade because they're either unaware or simply haven't had the time to (hell, one of my own servers is still running old conduwuit main 😅)
Backporting to the last release is rarely an issue, but if you don't think it's worth it then we don't need to bother. We'll just have to be extra careful to make sure upgrades go smoothly

Issuing patches for security vulns isn't usually too big of a task. Sometimes people don't upgrade because they're either unaware or simply haven't had the time to (hell, one of my own servers is still running old conduwuit main 😅) Backporting to the last release is rarely an issue, but if you don't think it's worth it then we don't need to bother. We'll just have to be extra careful to make sure upgrades go smoothly
Jade marked this conversation as resolved
SECURITY.md
@ -0,0 +18,4 @@
We appreciate the efforts of security researchers and the community in identifying and reporting vulnerabilities. To ensure that potential vulnerabilities are addressed properly, please follow these guidelines:
1. **Email the security team** directly at [security@continuwuity.org](mailto:security@continuwuity.org)
nex commented 2025-05-25 01:33:17 +00:00
Owner
Copy link

Is there PGP enabled on this inbox? If not, I don't think an unencrypted channel should be prioritized for security issues over encrypted ones

Is there PGP enabled on this inbox? If not, I don't think an unencrypted channel should be prioritized for security issues over encrypted ones
Jade commented 2025-05-25 21:30:14 +00:00
Author
Owner
Copy link

This just forwards to all of our continuwuity emails, so not sure PGP supports multi-recipent encryption. We could have a shared key?

But yeah, I agree that we can probably move it down in the list.

This just forwards to all of our continuwuity emails, so not sure PGP supports multi-recipent encryption. We could have a shared key? But yeah, I agree that we can probably move it down in the list.
nex commented 2025-05-25 23:31:04 +00:00
Owner
Copy link

pgp does support it, but not in this way. I think the ideal would just be moving the email down the list then

pgp does support it, but not in this way. I think the ideal would just be moving the email down the list then
Jade marked this conversation as resolved
SECURITY.md
@ -0,0 +22,4 @@
2. Contact members of the team over E2EE private message.
- [@jade:ellis.link](https://matrix.to/#/@jade:ellis.link)
- [@nex:nexy7574.co.uk](https://matrix.to/#/@nex:nexy7574.co.uk) <!-- ? -->
3. **Do not disclose the vulnerability publicly** until it has been addressed
nex commented 2025-05-25 01:32:32 +00:00
Owner
Copy link

People sometimes accidentally disclose vulnerabilities as they discover them, perhaps a mention that concerns regarding security should go to private channels in case there's any doubt? Means people won't go "hmm I wonder if this is a security- OH NO this is a security issue" in a public channel

People sometimes accidentally disclose vulnerabilities as they discover them, perhaps a mention that concerns regarding security should go to private channels in case there's any doubt? Means people won't go "hmm I wonder if this is a security- OH NO this is a security issue" in a public channel
Jade commented 2025-05-25 21:30:29 +00:00
Author
Owner
Copy link

Good idea

Good idea
❤️ 1
Jade marked this conversation as resolved
nex added the
Security
 label 2025-05-25 01:36:33 +00:00
Aranjedeath approved these changes 2025-05-25 23:57:35 +00:00
Jade added 1 commit 2025-05-26 14:02:04 +00:00
docs: Apply feedback on security policy
Some checks are pending
Documentation / Build and Deploy Documentation (pull_request) Successful in 45s
Details
Documentation / Build and Deploy Documentation (push) Waiting to run
Details
Rust Checks / Format (push) Waiting to run
Details
Rust Checks / Clippy (push) Waiting to run
Details
Rust Checks / Cargo Test (push) Waiting to run
Details
e8d823a653
Jade merged commit e8d823a653 into main 2025-05-26 16:02:10 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
nex
Aranjedeath
Labels
Clear labels   
Bug

Something isn't working as intended

  
Cherry-picking

Commits picked from other conduit projects

  
Database

This requires or includes changes to the database

  
Dependencies

Something dependency related

  
Difficulty
Easy
Low difficulty to implement - touches few parts of the codebase, low complexity

  
Difficulty
Hard
High difficulty to implement - touches many parts of the codebase, high complexity

  
Difficulty
Medium
Medium difficulty to implement - touches more parts of the codebase, higher complexity

  
Documentation

Improvements or additions to documentation

  
Enhancement

New feature or request

  
Good first issue

Good for newcomers

  
Help wanted

Additional eyes and keyboards are required for this one

  
Inherited

Issues that have been inhereted from the project pre-fork

  
Matrix/Administration

Features pertaining to homeserver administration

  
Matrix/Appservices

Features pertaining to the appservice API

  
Matrix/Auth

Features pertaining to authentication

  
Matrix/Client

Features pertaining to client-to-server interactions

  
Matrix/Core

   
Matrix/Federation

Features pertaining to server-to-server interactions

  
Matrix/MSC

Features pertaining to unstable matrix features

  
Matrix/Media

Features pertaining to media interactions

  
Meta

Related to housekeeping, maintenance, or other repo-meta.

  
Meta/Packaging

Packaging

  
Priority
Blocking
This issue is blocking the next release

  
Priority
High
This issue is very important

  
Priority
Low
This issue is of a rather low priority

  
Security

This item is related to general security

  
Status
Confirmed

  
Status
Duplicate
This issue or pull request already exists

  
Status
Invalid
This issue doesn't seem right

  
Status
Needs Investigation
This issue needs further investigation

  
Wont fix

This will not be worked on

  
old/ci/cd

Ci/CD

Archived

  
old/rust

Pull requests that update Rust code

Archived

No labels
Bug
Cherry-picking
Database
Dependencies
Difficulty
Easy
Difficulty
Hard
Difficulty
Medium
Documentation
Enhancement
Good first issue
Help wanted
Inherited
Matrix/Administration
Matrix/Appservices
Matrix/Auth
Matrix/Client
Matrix/Core
Matrix/Federation
Matrix/MSC
Matrix/Media
Meta
Meta/Packaging
Priority
Blocking
Priority
High
Priority
Low
Security
Status
Confirmed
Status
Duplicate
Status
Invalid
Status
Needs Investigation
Wont fix
old/ci/cd
old/rust
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: continuwuation/continuwuity#838
No description provided.
Delete branch "jade/security-policy"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?