[BUG] issues with Hertzbeat Security docs

[pjfanning]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

The link to report a security issue on https://github.com/apache/hertzbeat/issues/new/choose is not ASF standard practice. It is my understanding that all security issues relating to ASF projects and podlings need to be reported to an ASF mailing list. The default is [email protected] but some well established projects have mailing lists of form [email protected]. These mails are visible to the ASF Security team and this allows independent monitoring of whether ASF teams are dealing with reports.

I also think that https://github.com/apache/hertzbeat?tab=security-ov-file#readme should be updated to explicitly link to https://www.apache.org/security/ and to be much more explicit about the need to keep the issue private until the project team gets to look at the issue and if necessary, attempt a fix.

fyi @raboof

Expected Behavior

Follow standard ASF Security practices

Steps To Reproduce

No response

Environment

HertzBeat version(s):

Debug logs

No response

Anything else?

No response

[tomsun28]

Hi, thanks for pointing out that. We will update these docs.

[raboof]

The link to report a security issue on https://github.com/apache/hertzbeat/issues/new/choose is not ASF standard practice. It is my understanding that all security issues relating to ASF projects and podlings need to be reported to an ASF mailing list. The default is [email protected] but some well established projects have mailing lists of form [email protected]. These mails are visible to the ASF Security team and this allows independent monitoring of whether ASF teams are dealing with reports.

Yes, we should disable the option to report security issues through GitHub Private Vulnerability Reporting, because it currently does not leave the correct audit log. Before disabling GitHub Private Vulnerability Reporting for Hertzbeat, though, we should double-check the issues reported through this mechanism have since been dealt with the ASF way. @tomsun28 can you (and the rest of the PPMC) double-check this?

Looking further ahead, we do want to enable projects to opt-in into accepting security issues through GitHub Private Vulnerability Reporting. However, before we can enable this, we must put into place the proper audit mechanisms. This is tracked in https://issues.apache.org/jira/browse/INFRA-25020 (private link).

I also think that https://github.com/apache/hertzbeat?tab=security-ov-file#readme should be updated to explicitly link to https://www.apache.org/security/

I agree that would be good. This might also be a good place to describe Hertzbeat's security model - see https://cwiki.apache.org/confluence/display/SECURITY/Documenting+your+security+model for more information on that.

[tomsun28]

Yes, we should disable the option to report security issues through GitHub Private Vulnerability Reporting, because it currently does not leave the correct audit log. Before disabling GitHub Private Vulnerability Reporting for Hertzbeat, though, we should double-check the issues reported through this mechanism have since been dealt with the ASF way. @tomsun28 can you (and the rest of the PPMC) double-check this?

Hi raboof thanks suggest. I have double checked that all security vulnerability reports since HertzBeat joined ASF incubator are been dealt with the ASF way. It seems that we dont have the permission to disable this option. I will ask infra team for help.

I agree that would be good. This might also be a good place to describe Hertzbeat's security model - see https://cwiki.apache.org/confluence/display/SECURITY/Documenting+your+security+model for more information on that.

yes we have just added the HertzBeat's security model doc. https://hertzbeat.apache.org/docs/help/security_model

[raboof]

Yes, we should disable the option to report security issues through GitHub Private Vulnerability Reporting, because it currently does not leave the correct audit log. Before disabling GitHub Private Vulnerability Reporting for Hertzbeat, though, we should double-check the issues reported through this mechanism have since been dealt with the ASF way. @tomsun28 can you (and the rest of the PPMC) double-check this?

Hi raboof thanks suggest. I have double checked that all security vulnerability reports since HertzBeat joined ASF incubator are been dealt with the ASF way. It seems that we dont have the permission to disable this option. I will ask infra team for help.

Thanks - I have disabled the feature.

I agree that would be good. This might also be a good place to describe Hertzbeat's security model - see https://cwiki.apache.org/confluence/display/SECURITY/Documenting+your+security+model for more information on that.

yes we have just added the HertzBeat's security model doc. https://hertzbeat.apache.org/docs/help/security_model

Awesome! It might be nice to add the documentation on how to privately report an issue to that page as well? Then you can replace the 'Security' link in the main menu with a link to that page.

[tomsun28]

Awesome! It might be nice to add the documentation on how to privately report an issue to that page as well? Then you can replace the 'Security' link in the main menu with a link to that page.

ok i will update these doc.