Skip to content

chore(security.md): add more precisions regarding sec bugs reporting #2692

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 21, 2025
Merged

chore(security.md): add more precisions regarding sec bugs reporting #2692

merged 2 commits into from
Jul 21, 2025

Conversation

machine424
Copy link
Member

No description provided.

@machine424
Copy link
Member Author

cc @SuperQ

@SuperQ SuperQ self-requested a review July 18, 2025 16:23
bboreham
bboreham approved these changes Jul 18, 2025
View reviewed changes
Copy link
Member

@bboreham bboreham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable

SuperQ
SuperQ reviewed Jul 18, 2025
View reviewed changes
docs/operating/security.md Outdated
Comment on lines 33 to 36
For _security bugs_ that have already been publicly disclosed and require more than
just a dependency version bump to fix, please open a
[Bug report](https://github.com/prometheus/prometheus/issues) including all relevant
details, unless one has already been filed.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reading order. Let's put this first.

Let's also explicitly mention "publicly disclosed, for example CVEs, ...".

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A CVE can be embargoed and we want the private channel to be used for that. I'll use public CVEs

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good idea about the order, done.
we don't want it to be missed, I didn't put it at the end.

@machine424
address review feedback
ff6aee6 
Signed-off-by: machine424 <[email protected]>
@machine424 machine424 requested a review from SuperQ July 18, 2025 16:52
@machine424 machine424 merged commit 9e87608 into prometheus:main Jul 21, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bboreham bboreham bboreham approved these changes

@SuperQ SuperQ Awaiting requested review from SuperQ

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@machine424 @SuperQ @bboreham