- Reporting security problems to Oku
- Security Point of Contact
- Incident Response Process
- Vulnerability Management Plans
DO NOT CREATE AN ISSUE to report a security problem. Instead, please send an email to mailto:[email protected]
The security point of contact is Oku's maintainer, Emil Sayahi. Emil responds to security incident reports as fast as possible, within one business day at the latest.
In case an incident is discovered or reported, I will follow the following process to contain, respond and remediate:
The first step is to find out the root cause, nature and scope of the incident.
- Is the incident outside of my direct control? If yes, first priority is to contain it.
- Find out knows about the incident and who is affected.
- Find out what data was potentially exposed.
After the initial assessment and containment to my best abilities, I will document all actions taken in a response plan.
I will create a comment in the official 'Security updates' issue to inform users about the incident and what I actions I took to contain it.
Once the incident is confirmed to be resolved, I will summarize the lessons learned from the incident and create a list of actions I will take to prevent it from happening again.
Oku has many dependencies that it relies on, and one of its dependencies may have security vulnerabilities; if a dependency has a vulnerability, it will likely be patched, and it is important that we incorporate those patches into Oku.
We learn about critical software updates and security threats from these sources
- GitHub Security Alerts (alerted through GitHub Dependabot)
- ShiftLeft Scan (codebase scanning)
- RustSec Advisory Database (monitoring for vulnerable dependencies using
cargo-audit)