pidgin/nest

Add extra way to report security vulnerability

2021-07-15, Sorvival
ade72caa087d
Parents a6832f539981
Children 23cde9bc4d34
Add extra way to report security vulnerability

- Add an extra way of reporting a security vulnerability in the project. This
is done by creating a new issue in our issue tracker and ensuring that the
visibility of it is set so that only Pidgin Developers can view it.
- Fix a simple mistake in markdown link syntax in the contributing page which
links back to the Security page.
- Change hardcoded link to list of advisories to a Hugo ref link (if we ever
change the location of the advisories page this will make Hugo throw an error
since it won't be able to find the page, otherwise the link would just end up
being broken without us necessarily knowing about it.

Testing Done:
Ran `dev-server.sh` and verified content looks as intended.

Reviewed at https://reviews.imfreedom.org/r/806/
2 files changed, 16 insertions(+), 6 deletions(-)
  • +15 -5
    hugo/content/about/security/_index.md
  • +1 -1
    hugo/content/development/contributing.md
    • --- a/hugo/content/about/security/_index.md Tue Jul 13 14:40:03 2021 -0500
    +++ b/hugo/content/about/security/_index.md Thu Jul 15 00:40:59 2021 -0500
    @@ -10,15 +10,26 @@
    security-related information, and for disclosing this information to the
    public.
    -Please see our comprehensive
    -[list of known and reported security advisories](advisories/) for
    -information on past vulnerabilities.
    +Please see our comprehensive [list of known and reported security
    +advisories]({{< ref "about/security/advisories" >}}) for information on past
    +vulnerabilities.
    ## Reporting a Security-related Issue
    If you believe you have discovered a security problem or vulnerability in
    Pidgin, libpurple, Finch, or one of our related projects, please let us know
    -by emailing [security@pidgin.im](mailto:security@pidgin.im).
    +by using one of the following methods:
    +
    +* **Our preferred way:** Emailing
    + [security@pidgin.im](mailto:security@pidgin.im).
    +* Use this specific
    + [new issue](https://issues.imfreedom.org/newIssue?project=PIDGIN&c=visible%20to%20Pidgin%20Developers)
    + link, which will create a new issue in our issue tracker while ensuring that
    + its visibility is set so that it's only visible to the `Pidgin Developers`
    + team. The visibility selection we are referring to can be verified by looking
    + for it right above the *Create* button. Setting a limited visibility is of
    + *utmost* importance as otherwise we'd need to consider the vulnerability to
    + have been made public since everyone could read it from our issue tracker.
    In order to help us fix the problem as quickly as possible and with as little
    exposure to malicious intent to our users as can be managed, we ask that you
    @@ -62,4 +73,3 @@
    If you believe you should be on this list, please contact
    [security@pidgin.im](mailto:security@pidgin.im) and let us know why.
    -
    --- a/hugo/content/development/contributing.md Tue Jul 13 14:40:03 2021 -0500
    +++ b/hugo/content/development/contributing.md Thu Jul 15 00:40:59 2021 -0500
    @@ -79,7 +79,7 @@
    existing bug reports that match the issue you have encountered. This is to
    ensure that we are not submitting a duplicate issue.
    1. If the bug you are reporting is a previously unknown security vulnerability,
    - please read our (Security page)[{{< ref "about/security" >}}] for details on
    + please read our [Security page]({{< ref "about/security" >}}) for details on
    how to submit a security vulnerability report. It's of utmost importance that
    security issues are not made public until we have the chance to fix them,
    otherwise our users will be vulnerable until we are able to fix the issue and