docs: add a basic security policy (canonical#1266)

Adds a simple security policy, so that users can easily find out how to privately report security issues. The policy states that 2.x will get security updates, which seems reasonable to me, but we could make that more recent versions if that was better. The policy offers reporting via GitHub (which would need to be turned on) and to the [email protected] address - I think it's important to still offer an email (particularly encrypted email) mechanism, not just the GitHub one. This is based on the [LXD policy](https://github.com/canonical/lxd/blob/main/SECURITY.md), and the [work to develop a Canonical security policy template](https://warthogs.atlassian.net/browse/SEC-4238) (internal link only, sorry). See also [this Mattermost discussion](https://chat.canonical.com/canonical/pl/gnk4rsorrpgr3yetka9suh5bpa) (also internal only, sorry). --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: Ben Hoyt <[email protected]> Co-authored-by: Ben Hoyt <[email protected]> Co-authored-by: Dima Tisnek <[email protected]> Co-authored-by: github-actions <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
tonyandrewmeyer · Jun 26, 2024 · ed90f3e · ed90f3e
1 parent bed3d44
commit ed90f3e
Showing 1 changed file with 36 additions and 0 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,36 @@
+# Security policy
+
+## Supported versions
+
+All ops 2.x versions released within the last year are currently supported with security updates.
+
+## Reporting a vulnerability
+
+Please provide a description of the issue, the steps you took to
+create the issue, affected versions, and, if known, mitigations for
+the issue.
+
+The easiest way to report a security issue is through
+[GitHub's security advisory for this project](https://github.com/canonical/operator/security/advisories/new). See
+[Privately reporting a security
+vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability)
+for instructions on reporting using GitHub's security advisory feature.
+
+The ops GitHub admins will be notified of the issue and will work with you
+to determine whether the issue qualifies as a security issue and, if so, in
+which component. We will then figure out a fix, get a CVE
+assigned, and coordinate the release of the fix.
+
+You may also send email to [email protected]. Email may optionally be
+encrypted to OpenPGP key
+[`4072 60F7 616E CE4D 9D12 4627 98E9 740D C345 39E0`](https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x407260f7616ece4d9d12462798e9740dc34539e0)
+
+If you have a deadline for public disclosure, please let us know.
+Our vulnerability management team intends to respond within 3 working
+days of your report. This project aims to resolve all vulnerabilities
+within 90 days.
+
+The [Ubuntu Security disclosure and embargo
+policy](https://ubuntu.com/security/disclosure-policy) contains more
+information about what you can expect when you contact us, and what we
+expect from you.