Create SECURITY.md

[cldrn]

A nice place to find the contact info of the team handling security vulnerabilities.

[cldrn]

Who should i contact to report a security vulnerability in private?

[qqmyers]

@cldrn - Thanks for the PR - a good idea to make this clearer. If you have an issue to report, security@dataverse.org would be a good contact point.

[pdurbin]

Not a bad idea but how common is SECURITY.md? GitHub doesn't seem to recommend it:

For more on GitHub's recommendations: https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/about-community-profiles-for-public-repositories

This issue is related: "Securing Your Installation" section of Installation Guide could cover ongoing security, advisories, private discussion #3215

[pdurbin]

To make this table more clear for the purpose of my comments below, here's a screenshot:

I don't know if we write this down anywhere but generally we encourage installations to upgrade in order to receive security updates. If a flaw is found in an old version, we're not very likely to put out a point release to fix it.

[pdurbin]

As @qqmyers already mentioned, security@dataverse.org is the place to report security vulnerabilities. This is mentioned under "Reporting Issues and Contributing" at https://guides.dataverse.org/en/5.8/ as well as CONTRIBUTING.md, the issue template, and https://dataverse.org/contact

This issue is related: "Securing Your Installation" section of Installation Guide could cover ongoing security, advisories, private discussion #3215

[cldrn]

Hi,
It is suggested on the tab Security between de Wiki and Insights. GH is pushing for projects to use this as it makes it easier to track vulnerabilities and for security researchers to find the right contact. In there you could also explain the expected response time, procedures in general, etc. For example, I contacted security@dataverse.org and they haven't acknowledged the message so I am not sure if that contact was correct at the time.

[pdurbin]

@cldrn ah, yes, I see where GitHub suggests SECURITY.md now. Thanks. It looks like you've pretty much used the template.

Also, it looks like your ticket numbers are RT#313094 and RT#313114 but we're just starting to get back from winter break. It'll take some time for a reply. You should have at least received automated emails with the ticket numbers above.

As I mentioned at standup this morning, it probably make sense to have someone from the core team decide what to write in SECURITY.md so maybe one of us should take it from here.

[djbrooke]

Hi @cldrn - thanks for this PR. I'm going to close this out and we'll prioritize #3215 to add security.md and to update the Guides with additional security-related information.