From ab04185a12b47a3e58096a114843807b334fd7d5 Mon Sep 17 00:00:00 2001 From: Nate Fischer Date: Thu, 6 Jan 2022 22:13:09 -0800 Subject: [PATCH 1/3] chore: add SECURITY.md No change to code. This adds a security policy. Issue #1058 --- .github/SECURITY.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/SECURITY.md diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 00000000..08358936 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,27 @@ +# ShellJS Security Policy + +Thank you for reaching out regarding the security of the ShellJS module! Please +note that this project is maintained on a best-effort basis, however I still +intend to prioritize reviewing and addressing security issues. + +## Supported Versions + +I generally only support the latest ShellJS release (see +https://www.npmjs.com/package/shelljs). My goal is to release security fixes as +patch releases on top of whatever was most recently shipped. + +If breaking changes have already landed on the main development branch, I may +apply the patch on the relevant release branch (ex. +[`0.8-release`](https://github.com/shelljs/shelljs/commits/0.8-release) and +create a new release from there. + +## Reporting a Vulnerability + +Please report security vulnerabilities to ntfschr@gmail.com. I should respond +within a few days. Please **do not** disclose the nature of the suspected +vulnerability publicly. + +Please **only** use this email for security issues. It's also OK to use the +email if you're legitimately unsure if this is a security issue (better safe +than sorry). But for all other non-security issues, please use the GitHub issue +tracker. From e26440338f672c759655638424e3950cae8b3934 Mon Sep 17 00:00:00 2001 From: Nate Fischer Date: Thu, 6 Jan 2022 22:18:13 -0800 Subject: [PATCH 2/3] Add a little more and reformat --- .github/SECURITY.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 08358936..ec8bb027 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -18,8 +18,11 @@ create a new release from there. ## Reporting a Vulnerability Please report security vulnerabilities to ntfschr@gmail.com. I should respond -within a few days. Please **do not** disclose the nature of the suspected -vulnerability publicly. +within a few days. Although it's not strictly required, it helps me out if you +can include any proof of concept exploit code, suggested fix, etc. + +Please **do not** disclose the nature of the suspected vulnerability publicly. +I'd like a chance to patch the code before the issue is known to the public. Please **only** use this email for security issues. It's also OK to use the email if you're legitimately unsure if this is a security issue (better safe From b062c21c301bb9c7ca32bff1da824a88facea0ea Mon Sep 17 00:00:00 2001 From: Nate Fischer Date: Thu, 6 Jan 2022 22:19:39 -0800 Subject: [PATCH 3/3] Reword a sentence --- .github/SECURITY.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index ec8bb027..1496889b 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -21,8 +21,9 @@ Please report security vulnerabilities to ntfschr@gmail.com. I should respond within a few days. Although it's not strictly required, it helps me out if you can include any proof of concept exploit code, suggested fix, etc. -Please **do not** disclose the nature of the suspected vulnerability publicly. -I'd like a chance to patch the code before the issue is known to the public. +**Please do not publicly disclose the suspected vulnerability** until I have a +chance to review your report. I'd like a chance to patch the code before the +issue is known to the public. Please **only** use this email for security issues. It's also OK to use the email if you're legitimately unsure if this is a security issue (better safe