While it is mentioned in some locations, the security team's policy is not made completely clear on who gets credit on an SA or what format it will be in. It was briefly discussed before (https://groups.drupal.org/node/194073) and here's the SA form fields have default values like the following:
<a href="https://www.drupal.org/user/XXXUID">Real Name</a>
<a href="https://www.drupal.org/user/XXXUID">Real Name</a> of the Drupal Security Team
<a href="https://www.drupal.org/user/XXXUID">Real Name</a> the module maintainer
So the format currently is:
[a href="https://www.drupal.org/user/XXXUID"]Real Name[/a]
with either "of the Drupal Security Team" or "the [module] maintainer" appended as appropriate. Furthermore, the drupal.org user agreement specifically states:
3. If you are sharing your user account with multiple people (e.g. as your “official” organization account), you are not allowed to do the following using this account:
- commit code to Git repositories on the Website
- create any nodes except for organization, case study or project nodes
- comment on nodes
If you are sharing your user account with multiple people you ARE allowed to:
- create project nodes
- create organization nodes
- create case study nodes
- submit translations to localize.drupal.org
Therefore the user accounts mentioned in an SA must be to individual users, not an organization.
What I would like to do is combine all of these into a documentation page in the security-team section on d.o. What I'm figuring is something like the following:
Security Advisory naming policy
The security team's security advisory naming policy fits in line with the drupal.org user agreement. As such, individual users who report, work on or commit security fixes will be named in the security advisory. Depending upon the specific situation, the name will be listed in one of the following formats:
<a href="https://www.drupal.org/u/[username]">Full name</a>.
<a href="https://www.drupal.org/u/[username]">Full name</a> of the Drupal Security Team.
<a href="https://www.drupal.org/u/[username]">Full name</a>, the [module/theme/core] maintainer.
Additional notes:
- If the user's full name cannot be identified from their drupal.org user profile, their username will be used.
- If the user does not have a user account on drupal.org, e.g. they emailed details to the security team and refrained from creating a user account, there would not be a link for their name.
Are there any other improvements or details that should be noted?
Comments
Sometimes vulnerabilities are
Sometimes vulnerabilities are reported through other channels (Email, IRC, phone calls!) by people that don't have drupal.org user accounts. In that case we should just credit them with whatever name they would like.
Examples that are all acceptable to me:
Pseudonyms: L33tH4Xooress
Pseudonyms with links to their homepage: L33tH4Xooress
Real names: Barbara Smart (with or without link)
Organizations: Security lab Trans*H4ck (with or without links)
Proposal: default to full name and drupal.org account, but otherwise just put in whatever the reporter would like. Credit where credit is due!
Organization, client/project credit?
Given that issues on Drupal.org allow credit to be given for the organization funding the work, or even the client/project that the work was for, should we not also include that in the SA?
IMO people should put that on
IMO people should put that on their drupal.org profile.
knaddison blog | Morris Animal Foundation
The new content type will
The new content type will allow for this, however, the credit won't show up on the SA, but it will show up on their profile and if a company the companies commit credits.
The existing standard that
The existing standard that has evolved from prior discussions is in https://www.drupal.org/security-team/report-issue
2 sections that seem relevant to me:
knaddison blog | Morris Animal Foundation