Add vulnerability reporting to contributor documentation

XMLWordPrintableJSON

    • Type: Improvement
    • Resolution: Unresolved
    • Priority: Unknown
    • None
    • Component/s: AI/ML
    • None
    • Needed
    • Hide

      Summary of necessary driver changes

      Add the following blurb to development documentation:

      ## Reporting Security Issues
      
      Do not report security vulnerabilities via public GitHub issues or pull requests. Follow the instructions at https://www.mongodb.com/docs/manual/tutorial/create-a-vulnerability-report/ instead.
      

      Add to applicable human-intended documentation (CONTRIBUTING.md / SECURITY.md).

      Show
      Summary of necessary driver changes Add the following blurb to development documentation: ## Reporting Security Issues Do not report security vulnerabilities via public GitHub issues or pull requests. Follow the instructions at https://www.mongodb.com/docs/manual/tutorial/create-a-vulnerability-report/ instead. Add to applicable human-intended documentation (CONTRIBUTING.md / SECURITY.md).

      Summary

      Update CONTRIBUTING.md or similar to refer to Create a Vulnerability Report for security bugs. Proposed wording:

      ## Reporting Security Issues
      
      Do not report security vulnerabilities via public GitHub issues or pull requests. Follow the instructions at https://www.mongodb.com/docs/manual/tutorial/create-a-vulnerability-report/ instead.
      

      Motivation

      Motivated by a PR created as an "automated security fix" from "OrbisAI Security" to libmongocrypt: https://github.com/mongodb/libmongocrypt/pull/1189. The PR was determined to be bogus, reported to GitHub, and removed. But opening a public PR for a legitimate security issue may risk earlier exposure to a security bug.

      This initially proposed adding to AGENTS.md, but later deemed unnecessary.

      Who is the affected end user?

      Most users?

      How does this affect the end user?

      Early exposure of a security bug may put user applications at more risk of being exploited.

      How likely is it that this problem or use case will occur?

      Likely?

      If the problem does occur, what are the consequences and how severe are they?

      Security concern for users.

      Is this issue urgent?

      No?

      Is this ticket required by a downstream team?

      No?

      Is this ticket only for tests?

      No?

      Acceptance Criteria

            Assignee:
            Unassigned
            Reporter:
            Kevin Albertson
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: