-
Type:
Improvement
-
Resolution: Unresolved
-
Priority:
Unknown
-
None
-
Component/s: AI/ML
-
None
-
Needed
-
Summary
Update CONTRIBUTING.md or similar to refer to Create a Vulnerability Report for security bugs. Proposed wording:
## Reporting Security Issues Do not report security vulnerabilities via public GitHub issues or pull requests. Follow the instructions at https://www.mongodb.com/docs/manual/tutorial/create-a-vulnerability-report/ instead.
Motivation
Motivated by a PR created as an "automated security fix" from "OrbisAI Security" to libmongocrypt: https://github.com/mongodb/libmongocrypt/pull/1189. The PR was determined to be bogus, reported to GitHub, and removed. But opening a public PR for a legitimate security issue may risk earlier exposure to a security bug.
This initially proposed adding to AGENTS.md, but later deemed unnecessary.
Who is the affected end user?
Most users?
How does this affect the end user?
Early exposure of a security bug may put user applications at more risk of being exploited.
How likely is it that this problem or use case will occur?
Likely?
If the problem does occur, what are the consequences and how severe are they?
Security concern for users.
Is this issue urgent?
No?
Is this ticket required by a downstream team?
No?
Is this ticket only for tests?
No?
Acceptance Criteria
- Developer documentation will direct the user to https://www.mongodb.com/docs/manual/tutorial/create-a-vulnerability-report/
- related to
-
DRIVERS-3428 AGENTS.md standardization for all DBX Repositories
-
- Implementing
-