Skip to content

Commit 7ebe44c

Browse files
weissiweissi
authored
adopt security guidelines (apple#197)
1 parent 65a8e5e commit 7ebe44c

File tree

2 files changed

+47
-0
lines changed

2 files changed

+47
-0
lines changed

README.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -202,6 +202,10 @@ around between libraries to preserve metadata and the like.
202202
If you want to filter all log messages originating from a certain subsystem, filter by `source` which defaults to the module that is emitting the
203203
log message.
204204

205+
## Security
206+
207+
Please see [SECURITY.md](SECURITY.md) for SwiftLog's security process.
208+
205209
## Design
206210

207211
This logging API was designed with the contributors to the Swift on Server community and approved by the [SSWG (Swift Server Work Group)](https://swift.org/server/) to the 'sandbox level' of the SSWG's [incubation process](https://github.com/swift-server/sswg/blob/master/process/incubation.md).

SECURITY.md

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
# Security
2+
3+
This document specifies the security process for the SwiftLog project.
4+
5+
## Disclosures
6+
7+
### Private Disclosure Process
8+
9+
The SwiftLog maintainers ask that known and suspected vulnerabilities be
10+
privately and responsibly disclosed by emailing
11+
[[email protected]](mailto:[email protected])
12+
with the all the required detail.
13+
**Do not file a public issue.**
14+
15+
#### When to report a vulnerability
16+
17+
* You think you have discovered a potential security vulnerability in SwiftLog.
18+
* You are unsure how a vulnerability affects SwiftLog.
19+
20+
#### What happens next?
21+
22+
* A member of the team will acknowledge receipt of the report within 3
23+
working days (United States). This may include a request for additional
24+
information about reproducing the vulnerability.
25+
* We will privately inform the Swift Server Work Group ([SSWG][sswg]) of the
26+
vulnerability within 10 days of the report as per their [security
27+
guidelines][sswg-security].
28+
* Once we have identified a fix we may ask you to validate it. We aim to do this
29+
within 30 days. In some cases this may not be possible, for example when the
30+
vulnerability exists at the protocol level and the industry must coordinate on
31+
the disclosure process.
32+
* If a CVE number is required, one will be requested from [MITRE][mitre]
33+
providing you with full credit for the discovery.
34+
* We will decide on a planned release date and let you know when it is.
35+
* Prior to release, we will inform major dependents that a security-related
36+
patch is impending.
37+
* Once the fix has been released we will publish a security advisory on GitHub
38+
and in the Server → Security Updates category on the [Swift forums][swift-forums-sec].
39+
40+
[sswg]: https://github.com/swift-server/sswg
41+
[sswg-security]: https://github.com/swift-server/sswg/blob/main/security/README.md
42+
[swift-forums-sec]: https://forums.swift.org/c/server/security-updates/
43+
[mitre]: https://cveform.mitre.org/

0 commit comments

Comments
 (0)