From 5f51d3f156f851ff59133a775bf9727e41b83516 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bastian=20Echterh=C3=B6lter?= Date: Tue, 7 Apr 2026 15:03:33 +0200 Subject: [PATCH 1/2] docs: add foundation-wide security policy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Based on the platform-mesh SECURITY.md, generalized for all NeoNephos organizations with per-org security contacts and a foundation-wide fallback address. Signed-off-by: Bastian Echterhölter On-behalf-of: @SAP --- security-guidelines/security-guidelines.md | 57 +++++++++++++++++++++- 1 file changed, 56 insertions(+), 1 deletion(-) diff --git a/security-guidelines/security-guidelines.md b/security-guidelines/security-guidelines.md index ed303e2..cacc021 100644 --- a/security-guidelines/security-guidelines.md +++ b/security-guidelines/security-guidelines.md @@ -1 +1,56 @@ -# NeoNephos Security Guidelines \ No newline at end of file +# NeoNephos Security Policy + +The NeoNephos Foundation takes the security of our software seriously, including all source code repositories managed through its GitHub organizations. + +If you believe you have found a security vulnerability in any NeoNephos repository, please report it to us as described below. + +## Reporting Security Issues + +**Please do not report security vulnerabilities through public GitHub issues.** + +Instead, please use one of the following channels: + + - **GitHub Security Advisories** — navigate to the **Security** tab of the affected repository and select **"Report a vulnerability"** to privately report an advisory. + - **Email** — contact the security team of the affected organization (see table below). + +| Organization | Security Contact | +|---|---| +| [platform-mesh](https://github.com/platform-mesh) | [platform-mesh-security@lists.neonephos.org](mailto:platform-mesh-security@lists.neonephos.org) | +| [openmfp](https://github.com/openmfp) | [openmfp-security@lists.neonephos.org](mailto:openmfp-security@lists.neonephos.org) | + +Organizations not listed above should use the foundation-wide security contact: [security@lists.neonephos.org](mailto:security@lists.neonephos.org) + +Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: + + - The repository name or URL + - Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.) + - Full paths of the source file(s) related to the manifestation of the issue + - The location of the affected source code (tag/branch/commit or direct URL) + - Any particular configuration required to reproduce the issue + - Step-by-step instructions to reproduce the issue + - Proof-of-concept or exploit code (if possible) + - Impact of the issue, including how an attacker might exploit the issue + +This information will help us triage your report more quickly. + +## Preferred Languages + +We prefer all communications to be in English. + +## Disclosure Policy + +We follow the principle of [Coordinated Vulnerability Disclosure](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure). We ask that you: + + - Allow us a reasonable time to investigate and address the issue before making any information public. + - Make a good faith effort to avoid privacy violations, data destruction, and disruption of services. + - Do not exploit the vulnerability beyond what is necessary to verify it. + +We commit to: + + - Acknowledging receipt of your vulnerability report. + - Providing an estimated timeline for a fix. + - Notifying you when the vulnerability is resolved. + +## Adopting This Policy + +Each NeoNephos organization should place a `SECURITY.md` file in its `.github` repository (or in individual repositories) that references or adapts this policy. At a minimum, the file should specify the organization-specific security contact and link back to this guideline for the full disclosure process. \ No newline at end of file From 1fef9580043b11414c0b456758684a2e5c8332cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bastian=20Echterh=C3=B6lter?= Date: Tue, 7 Apr 2026 15:09:01 +0200 Subject: [PATCH 2/2] docs: rework security policy as reusable template MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Convert the security guideline into a template with placeholders that each NeoNephos project organization can adopt in their own .github repository. Signed-off-by: Bastian Echterhölter On-behalf-of: @SAP --- security-guidelines/security-guidelines.md | 33 +++++++++++++--------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/security-guidelines/security-guidelines.md b/security-guidelines/security-guidelines.md index cacc021..fdb4d59 100644 --- a/security-guidelines/security-guidelines.md +++ b/security-guidelines/security-guidelines.md @@ -1,8 +1,16 @@ -# NeoNephos Security Policy +# NeoNephos Security Policy Template -The NeoNephos Foundation takes the security of our software seriously, including all source code repositories managed through its GitHub organizations. +This document provides a default security policy for NeoNephos Foundation projects. Each project organization should place a `SECURITY.md` file in its `.github` repository (or in individual repositories) based on this template. -If you believe you have found a security vulnerability in any NeoNephos repository, please report it to us as described below. +Replace all `{{ PLACEHOLDER }}` values with your organization-specific details before publishing. + +--- + +# {{ PROJECT_NAME }} Security Policy + +The {{ PROJECT_NAME }} project takes the security of our software seriously, including all source code repositories managed through the [{{ ORG_NAME }}](https://github.com/{{ ORG_NAME }}) GitHub organization. + +If you believe you have found a security vulnerability in any {{ ORG_NAME }} repository, please report it to us as described below. ## Reporting Security Issues @@ -11,14 +19,7 @@ If you believe you have found a security vulnerability in any NeoNephos reposito Instead, please use one of the following channels: - **GitHub Security Advisories** — navigate to the **Security** tab of the affected repository and select **"Report a vulnerability"** to privately report an advisory. - - **Email** — contact the security team of the affected organization (see table below). - -| Organization | Security Contact | -|---|---| -| [platform-mesh](https://github.com/platform-mesh) | [platform-mesh-security@lists.neonephos.org](mailto:platform-mesh-security@lists.neonephos.org) | -| [openmfp](https://github.com/openmfp) | [openmfp-security@lists.neonephos.org](mailto:openmfp-security@lists.neonephos.org) | - -Organizations not listed above should use the foundation-wide security contact: [security@lists.neonephos.org](mailto:security@lists.neonephos.org) + - **Email**: [{{ SECURITY_EMAIL }}](mailto:{{ SECURITY_EMAIL }}) Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: @@ -51,6 +52,12 @@ We commit to: - Providing an estimated timeline for a fix. - Notifying you when the vulnerability is resolved. -## Adopting This Policy +--- + +## Placeholders Reference -Each NeoNephos organization should place a `SECURITY.md` file in its `.github` repository (or in individual repositories) that references or adapts this policy. At a minimum, the file should specify the organization-specific security contact and link back to this guideline for the full disclosure process. \ No newline at end of file +| Placeholder | Description | Example | +|---|---|---| +| `{{ PROJECT_NAME }}` | Human-readable project name | Platform Mesh | +| `{{ ORG_NAME }}` | GitHub organization name | platform-mesh | +| `{{ SECURITY_EMAIL }}` | Security contact email | platform-mesh-security@lists.neonephos.org |