You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@superset.apache.org by su...@apache.org on 2020/09/04 16:09:46 UTC

[incubator-superset] branch security-contributing created (now 02298df)

This is an automated email from the ASF dual-hosted git repository.

suddjian pushed a change to branch security-contributing
in repository https://gitbox.apache.org/repos/asf/incubator-superset.git.


      at 02298df  a note on reporting security vulnerabilities

This branch includes the following new commits:

     new 02298df  a note on reporting security vulnerabilities

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.

[incubator-superset] 01/01: a note on reporting security vulnerabilities

Posted by su...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

suddjian pushed a commit to branch security-contributing
in repository https://gitbox.apache.org/repos/asf/incubator-superset.git

commit 02298df2ff140719110704d036d33c655461c018
Author: David Aaron Suddjian <18...@users.noreply.github.com>
AuthorDate: Fri Sep 4 09:09:04 2020 -0700

    a note on reporting security vulnerabilities
---
 CONTRIBUTING.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index e860092..ae7d70b 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -42,6 +42,7 @@ little bit helps, and credit will always be given.
       - [Merging](#merging)
       - [Post-merge Responsibility](#post-merge-responsibility)
   - [Managing Issues and PRs](#managing-issues-and-prs)
+  - [Reporting a Security Vulnerability](#reporting-a-security-vulnerability)
   - [Revert Guidelines](#revert-guidelines)
   - [Setup Local Environment for Development](#setup-local-environment-for-development)
     - [Documentation](#documentation)
@@ -264,6 +265,12 @@ If the PR passes CI tests and does not have any `need:` labels, it is ready for
 
 If an issue/PR has been inactive for >=30 days, it will be closed. If it does not have any status label, add `inactive`.
 
+## Reporting a Security Vulnerability
+
+Please report security vulnerabilities to private@superset.apache.org.
+
+In the event a community member discovers a security flaw in Superset, it is important to release a fix as quickly as possible before public disclosure of the issue. Reporting security vulnerabilities through the usual GitHub Issues channel is not ideal as it will publicize the flaw before a fix can be applied.
+
 ## Revert Guidelines
 
 Reverting changes that are causing issues in the master branch is a normal and expected part of the development process. In an open source community, the ramifications of a change cannot always be fully understood. With that in mind, here are some considerations to keep in mind when considering a revert: