templates: add warning about reporting security issues. (envoyproxy#7735

) While there, move SECURITY_RELEASE_PROCESS.md to SECURITY.md to make it work with GitHub's Security tab. Signed-off-by: Piotr Sikora <[email protected]>
foshanck · Jul 26, 2019 · 27b41b8 · 27b41b8
1 parent a8200bc
commit 27b41b8
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 7 deletions.
diff --git a/GOVERNANCE.md b/GOVERNANCE.md
@@ -52,10 +52,10 @@
     can be promoted to other issue types once it's clear they are actionable (at which point the
     question label should be removed).
 * Make sure that ongoing PRs are moving forward at the right pace or closing them.
-* Participate when called upon in the [security release process](SECURITY_RELEASE_PROCESS.md). Note
-  that although this should be a rare occurrence, if a serious vulnerability is found, the process
-  may take up to several full days of work to implement. This reality should be taken into account
-  when discussing time commitment obligations with employers.
+* Participate when called upon in the [security release process](SECURITY.md). Note that although
+  this should be a rare occurrence, if a serious vulnerability is found, the process may take up to
+  several full days of work to implement. This reality should be taken into account when discussing
+  time commitment obligations with employers.
 * In general continue to be willing to spend at least 25% of ones time working on Envoy (~1.25
   business days per week).
 * We currently maintain an "on-call" rotation within the maintainers. Each on-call is 1 week.

diff --git a/ISSUE_TEMPLATE.md b/ISSUE_TEMPLATE.md
@@ -1,3 +1,7 @@
+**WARNING: If you want to report crashes, leaking of sensitive information,
+and/or other security issues, please consider
+[reporting them using appropriate channels](https://github.com/envoyproxy/envoy#reporting-security-vulnerabilities).**
+
 **Issue Template**
 
 *Title*: *One line description*

diff --git a/README.md b/README.md
@@ -85,4 +85,4 @@ If you've found a vulnerability or a potential vulnerability in Envoy please let
 email to acknowledge your report, and we'll send an additional email when we've identified the issue
 positively or negatively.
 
-For further details please see our complete [security release process](SECURITY_RELEASE_PROCESS.md).
+For further details please see our complete [security release process](SECURITY.md).
diff --git a/SECURITY_RELEASE_PROCESS.md → SECURITY.md b/SECURITY_RELEASE_PROCESS.md → SECURITY.md
diff --git a/security/email-templates.md b/security/email-templates.md
@@ -36,14 +36,14 @@ Hello Envoy Distributors,
 The Envoy security team would like to provide advanced notice to the Envoy
 Private Distributors List of some details on the pending Envoy $VERSION
 security release, following the process described at
-https://github.com/envoyproxy/envoy/blob/master/SECURITY_RELEASE_PROCESS.md.
+https://github.com/envoyproxy/envoy/blob/master/SECURITY.md.
 
 This release will be made available on the $ORDINALDAY of $MONTH $YEAR at
 $PDTHOUR PDT ($GMTHOUR GMT). This release will fix $NUMDEFECTS security
 defect(s). The highest rated security defect is considered $SEVERITY severity.
 
 Below we provide details of these vulnerabilities under our embargo policy
-(https://github.com/envoyproxy/envoy/blob/master/SECURITY_RELEASE_PROCESS.md#embargo-policy).
+(https://github.com/envoyproxy/envoy/blob/master/SECURITY.md#embargo-policy).
 This information should be treated as confidential until public release by the
 Envoy maintainers on the Envoy GitHub.