From f8233fb7109974c9fd978ac94d737e57e952f5ed Mon Sep 17 00:00:00 2001 From: tomer doron Date: Mon, 21 Jun 2021 15:06:48 -0700 Subject: [PATCH] adopt SSWG security guidelines (#30) * Create SECURITY.md * Update README.md * Update README.md --- README.md | 13 ++++++++++--- SECURITY.md | 43 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+), 3 deletions(-) create mode 100644 SECURITY.md diff --git a/README.md b/README.md index bfbe7a5..825acd3 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ a metrics backend for [swift-metrics](https://github.com/apple/swift-metrics) th * [graphite](https://graphiteapp.org) * many others -## getting started +## Getting started create an instance of the `StatsdClient` and boostrap the `MertricsSystem` in your application's main: @@ -26,8 +26,7 @@ remeber to also shutdown the client before you application terminates: statsdClient.shutdown() ``` - -## architecture +## Architecture the statsd client uses [swift-nio](https://github.com/apple/swift-nio) to establish a UDP connection to the statsd server @@ -36,3 +35,11 @@ metrics types are mapped as follwoing: * Gauge -> Gauge * Recorder -> Histogram * Timer -> Timer + +## Security + +Please see [SECURITY.md](SECURITY.md) for details on the security process. + +## Getting involved + +Do not hesitate to get in touch as well, over on https://forums.swift.org/c/server diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..b047caa --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,43 @@ +# Security + +This document specifies the security process for the SwiftStatsDClient project. + +## Disclosures + +### Private Disclosure Process + +The SwiftStatsDClient maintainers ask that known and suspected vulnerabilities be +privately and responsibly disclosed by emailing +[sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org) +with the all the required detail. +**Do not file a public issue.** + +#### When to report a vulnerability + +* You think you have discovered a potential security vulnerability in SwiftStatsDClient. +* You are unsure how a vulnerability affects SwiftStatsDClient. + +#### What happens next? + +* A member of the team will acknowledge receipt of the report within 3 + working days (United States). This may include a request for additional + information about reproducing the vulnerability. +* We will privately inform the Swift Server Work Group ([SSWG][sswg]) of the + vulnerability within 10 days of the report as per their [security + guidelines][sswg-security]. +* Once we have identified a fix we may ask you to validate it. We aim to do this + within 30 days. In some cases this may not be possible, for example when the + vulnerability exists at the protocol level and the industry must coordinate on + the disclosure process. +* If a CVE number is required, one will be requested from [MITRE][mitre] + providing you with full credit for the discovery. +* We will decide on a planned release date and let you know when it is. +* Prior to release, we will inform major dependents that a security-related + patch is impending. +* Once the fix has been released we will publish a security advisory on GitHub + and in the Server → Security Updates category on the [Swift forums][swift-forums-sec]. + +[sswg]: https://github.com/swift-server/sswg +[sswg-security]: https://github.com/swift-server/sswg/blob/main/security/README.md +[swift-forums-sec]: https://forums.swift.org/c/server/security-updates/ +[mitre]: https://cveform.mitre.org/