Summary

Add extra way to report security vulnerability

Review Request #806 — Created July 13, 2021 and submitted July 15, 2021, 5:41 a.m.

Information

Owner

sorvival

Repository

pidgin/nest

Branch

default

Bugs

Depends On

Commit

e6e64d98a3f3

Reviewers

Groups

pidgin-www

People

Description

- Add an extra way of reporting a security vulnerability in the project. This
  is done by creating a new issue in our issue tracker and ensuring that the
  visibility of it is set so that only Pidgin Developers can view it.
- Fix a simple mistake in markdown link syntax in the contributing page which
  links back to the Security page.
- Change hardcoded link to list of advisories to a Hugo ref link (if we ever
  change the location of the advisories page this will make Hugo throw an error
  since it won't be able to find the page, otherwise the link would just end up
  being broken without us necessarily knowing about it.

Testing Done

Ran dev-server.sh and verified content looks as intended.

Issues

Description	From	Last Updated
So I just tried this with my non admin account and you can only see the groups that you are …	grim	July 15, 2021, 5:40 a.m.

Yes, I don't know how I didn't notice in the previous PR that I had messed up the markdown link syntax that I'm fixing here as well :P

Ship it!

```
Ship It!
```

hugo/content/about/security/_index.md (Diff revision 1)

The issue has been resolved. Show all issues

So I just tried this with my non admin account and you can only see the groups that you are a part of. Since it's not a pidgin developer, it doesn't see it.

However, we can use an issue template url like https://issues.imfreedom.org/newIssue?project=PIDGIN&c=visible%20to%20Pidgin%20Developers where the issue will automatically be set correctly. See https://issues.imfreedom.org/issue/PIDGIN-17545 for an example that was created with that link.

sorvival July 13, 2021, 11:12 p.m.

I can see the Pidgin Developer group and I can select it in the dropdown and I'm not a member of that group (at least afaik). Maybe if I try to submit it an error will appear? Either way, I prefer your alternative of having the link already setup so that it sets the visibility as needed, it will lower the chances of someone using the issue tracker to post a (possible) vulnerability without restricted visibility.