Coordinated Disclosure Plan Verification/Automation

Hi, lifters. I wanted to let you know of a change to the Coordinated Disclosure Plan lifter task. Before, you simply let us know which plan you selected and where you linked to the plan information (either Tidelift’s or your own). Now, much like the Tell Potential Subscribers task, we’ll be checking that the URL you gave us contains the correct plan URL and, if it does, the task will be marked “completed”:

Like with Tell Potential Subscribers, this is checked daily and, if the link isn’t found due to moving files around or misconfiguration, the task will change status from “completed” to “to do”. When this rolls out this morning, it may cause this task to be marked as “to do” if we are unable to verify the plan URL. It’s important that your users know how to contact you (or us) in the case of a security issue, and our subscribers care that our lifters take security seriously, so be sure to get the task fixed up if needed.

Pretty soon we’ll be rolling out some other small improvements around setting up the Coordinated Disclosure Plan for new liftings, taking advantage of community health files in a GitHub repository or organization when possible to complete the task for you immediately upon approval. Thanks, and let us know if you have any questions or concerns.

4 Likes

I love the work you are doing on automation and verification @johnbintz-tidelift!! Keep up the awesome work :heart:

2 Likes

Update: we’ve now added some automatic detection of coordinated disclosure policies in GitHub repos. If you haven’t chosen a plan for a package, and you have a SECURITY.md file in your package repo or a community health repo, and it contains either the Tidelift security policy URL https://tidelift.com/security or the URL of a policy you’ve manually established for another lifting in the same GitHub organization, we’ll pick up that info and mark the new package’s task complete. You’ll get an email letting you know we’ve done this. This should help make setting up new packages to lift just a little easier for youall.

Let us know if you have any questions on the process. More improvements to come!

3 Likes

I just created a SECURITY.md file in my user’s .github repo (https://github.com/ljharb/.github/blob/master/.github/SECURITY.md). GitHub doesn’t seem to do anything with this, however, and neither does Tidelift. Is there any way to have a default security policy for all of my repos do this task can be autocompleted for all packages whose repo i own?

Try moving SECURITY.md to the root of that repo. GitHub should pick it up then. The GitHub guidelines want it at the root folder for the organization repo, but in either a .github folder or at the root folder for a project repo.

Then reply here once you’ve made the change & when GitHub is picking up the security file, and I’ll make sure our policy detection code is working correctly, too.

1 Like

I’ve moved it; but I’m not sure how to see that github is picking up the file - maybe it takes some time? It’s also possible that they don’t support .github repos for non-organizations, in which case I might be SOL.

@ljharb I was digging into this earlier today and it seems that GitHub doesn’t think individual profiles qualify for “community” health files (the special repo). I’m going to try poking some people I know at GitHub about it but that seems like a longer-term solution. I don’t think we should support the .github repo on individual profiles until GitHub does because that would be confusing for consumers. Thoughts?

Sadly i think you’re right on both counts. Anything you can do to convince GitHub to prioritize supporting .github for individuals would be greatly appreciated :slight_smile:

1 Like