From da5f1c06f802eae767f1ba722caca1e79a704093 Mon Sep 17 00:00:00 2001 From: Dave Verwer Date: Mon, 12 May 2025 17:29:43 +0100 Subject: [PATCH 1/3] Added a basic SECURITY.md. --- SECURITY.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..5d2f295a0 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,15 @@ +# Security Policies and Procedures + +This document outlines security procedures and general policies for the Swift Package Index project. + +## Reporting a Bug + +We take all security bugs in the Swift Package Index project seriously. We appreciate your responsible disclosure efforts and will acknowledge your contributions where appropriate. + +Report security bugs via the “[Security](https://github.com/SwiftPackageIndex/SwiftPackageIndex-Server/security)” tab in our GitHub repository or via the “[Report a Vulnerability](https://github.com/SwiftPackageIndex/SwiftPackageIndex-Server/security/advisories/new)” form. This will open a private conversation to report and discuss the vulnerability with project maintainers. + +Once we resolve a security issue, where appropriate, we will publish a security advisory on the GitHub repository’s “Security” tab. + +## Comments on this Policy + +Please [open a discussion](https://github.com/SwiftPackageIndex/SwiftPackageIndex-Server/discussions/new/choose) if you have suggestions to improve this process. From d871fec5808c6ce8a1ce13435ed48aa2257b451c Mon Sep 17 00:00:00 2001 From: Dave Verwer Date: Mon, 12 May 2025 18:37:58 +0100 Subject: [PATCH 2/3] =?UTF-8?q?Let=E2=80=99s=20cope=20with=20PackageList?= =?UTF-8?q?=20security=20all=20in=20the=20same=20place.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- SECURITY.md | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 5d2f295a0..b4e51917e 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,14 +2,20 @@ This document outlines security procedures and general policies for the Swift Package Index project. -## Reporting a Bug +## Reporting Security Issues with the Project -We take all security bugs in the Swift Package Index project seriously. We appreciate your responsible disclosure efforts and will acknowledge your contributions where appropriate. +We take all security bugs in the Swift Package Index project seriously. We appreciate your responsible disclosure efforts and, where appropriate, will acknowledge your contributions. -Report security bugs via the “[Security](https://github.com/SwiftPackageIndex/SwiftPackageIndex-Server/security)” tab in our GitHub repository or via the “[Report a Vulnerability](https://github.com/SwiftPackageIndex/SwiftPackageIndex-Server/security/advisories/new)” form. This will open a private conversation to report and discuss the vulnerability with project maintainers. +Please report security bugs via the “[Security](https://github.com/SwiftPackageIndex/SwiftPackageIndex-Server/security)” tab in the [Server GitHub repository](https://github.com/SwiftPackageIndex/SwiftPackageIndex-Server) or directly via the “[Report a Vulnerability](https://github.com/SwiftPackageIndex/SwiftPackageIndex-Server/security/advisories/new)” form. This will open a private conversation with the Swift Package Index project maintainers. Once we resolve a security issue, where appropriate, we will publish a security advisory on the GitHub repository’s “Security” tab. +## Reporting Security Issues in Packages in the Index + +If you find a security issue **in a package indexed by the Swift Package Index package**, please report it directly to the package maintainer. + +If you believe a package has malicious intent or critical security issues that the maintainer doesn’t address promptly, report it via the “[Security](https://github.com/SwiftPackageIndex/PackageList/security)” tab in the [PackageList GitHub repository](https://github.com/SwiftPackageIndex/PackageList) or directly via the “[Report a Vulnerability](https://github.com/SwiftPackageIndex/PackageList/security)” form. This will open a private conversation with the Swift Package Index project maintainers. + ## Comments on this Policy -Please [open a discussion](https://github.com/SwiftPackageIndex/SwiftPackageIndex-Server/discussions/new/choose) if you have suggestions to improve this process. +Please [open a discussion](https://github.com/SwiftPackageIndex/SwiftPackageIndex-Server/discussions/new/choose) if you have suggestions to improve this process. From 3bca882419b1c9e6e83c2fba45ffc76f1051259e Mon Sep 17 00:00:00 2001 From: Dave Verwer Date: Mon, 12 May 2025 18:43:04 +0100 Subject: [PATCH 3/3] Wording tweak. --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index b4e51917e..63614a811 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -8,7 +8,7 @@ We take all security bugs in the Swift Package Index project seriously. We appre Please report security bugs via the “[Security](https://github.com/SwiftPackageIndex/SwiftPackageIndex-Server/security)” tab in the [Server GitHub repository](https://github.com/SwiftPackageIndex/SwiftPackageIndex-Server) or directly via the “[Report a Vulnerability](https://github.com/SwiftPackageIndex/SwiftPackageIndex-Server/security/advisories/new)” form. This will open a private conversation with the Swift Package Index project maintainers. -Once we resolve a security issue, where appropriate, we will publish a security advisory on the GitHub repository’s “Security” tab. +Once we resolve a security issue, we will publish a security advisory on the GitHub repository’s “Security” tab, where appropriate. ## Reporting Security Issues in Packages in the Index