Conversation
Summary of ChangesHello @simon-song-wd, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request comprehensively updates the project's security policy, providing a more robust and transparent framework for vulnerability reporting and management. The changes aim to clarify expectations for security researchers, streamline the reporting process, and establish clear timelines for validation, remediation, and public disclosure, ultimately enhancing the overall security posture. Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request provides a significant update to the security policy, adding more detail and structure. The changes are mostly positive, but there are a few areas with redundant information and minor typos that should be addressed to improve clarity and professionalism. I've left specific comments on these points.
| - CSRF on unauthenticated/logout/login pages | ||
| - Hypothetical issues that do not have a demonstrable, practical impact | ||
| - Vulnerabilities that affect out-of-date browsers | ||
| - ClickjackingCSRF on unauthenticated/logout/login pages |
There was a problem hiding this comment.
There's a typo in this line. 'Clickjacking' and 'CSRF' have been merged into one word. They should be separated for clarity.
| - ClickjackingCSRF on unauthenticated/logout/login pages | |
| - Clickjacking and CSRF on unauthenticated/logout/login pages |
| - Social engineering attacks | ||
| - Activities that cause service disruption (DoS) | ||
| - Denial service via bruteforce attack | ||
| - Content spoofing and text injection without a valid attack vector | ||
| - Username enumeration via Login Page error message | ||
| - Username enumeration via Forgot password error message | ||
| - Bruteforce attacks | ||
| - Email spoofing | ||
| - Absence of DNSSEC, CAA, CSP headers | ||
| - Missing Secure or HTTP-only flag on non-sensitive cookies | ||
| - Deadlinks | ||
| - User enumeration | ||
| - Social Engineering |
There was a problem hiding this comment.
The 'Out of scope vulnerabilities' list contains some redundant entries that should be consolidated for clarity:
- 'Social engineering attacks' (line 17) is repeated as 'Social Engineering' (line 28).
- 'Denial service via bruteforce attack' (line 18) and 'Bruteforce attacks' (line 22) are overlapping.
Please review and merge these items to make the list clearer and more concise.
| ### Reporting Guidelines | ||
|
|
||
| - Submit your findings to https://github.com/FlowiseAI/Flowise/security | ||
| - Provide clear details to help us reproduce and fix the issue quickly. | ||
|
|
||
| ### Disclosure Guidelines | ||
| ### Reporting Guidelines | ||
|
|
||
| - Submit your findings to https://github.com/FlowiseAI/Flowise/security | ||
| - Ensure that the vulnerability is exploitable. Theoretical or static application security testing reports are subject to dismissal. | ||
| - Submit the report with CVSS vector and calculated severity. | ||
| - Provide a clear detailed report with proof of concept to help us reproduce and remediate the vulnerability. |
There was a problem hiding this comment.
There are two Reporting Guidelines sections, which is redundant. The second section is more comprehensive. Please remove the first, duplicated section to avoid confusion.
| ### Reporting Guidelines | |
| - Submit your findings to https://github.com/FlowiseAI/Flowise/security | |
| - Provide clear details to help us reproduce and fix the issue quickly. | |
| ### Disclosure Guidelines | |
| ### Reporting Guidelines | |
| - Submit your findings to https://github.com/FlowiseAI/Flowise/security | |
| - Ensure that the vulnerability is exploitable. Theoretical or static application security testing reports are subject to dismissal. | |
| - Submit the report with CVSS vector and calculated severity. | |
| - Provide a clear detailed report with proof of concept to help us reproduce and remediate the vulnerability. | |
| ### Reporting Guidelines | |
| - Submit your findings to https://github.com/FlowiseAI/Flowise/security | |
| - Ensure that the vulnerability is exploitable. Theoretical or static application security testing reports are subject to dismissal. | |
| - Submit the report with CVSS vector and calculated severity. | |
| - Provide a clear detailed report with proof of concept to help us reproduce and remediate the vulnerability. |
| Public Disclosure occurs exactly 30 days after the next official release that includes the security patch. This period gives Flowise users a time to adopt the patched version before technical vulnerability details are made public, mitigating the risk of immediate post-disclosure exploitation. | ||
|
|
||
| #### Reaching out to the Security team | ||
| To report a new vulnerability, please submit a Github security Security Advisory report. |
There was a problem hiding this comment.
The word 'Security' is repeated in 'Github security Security Advisory report'. Removing the duplicate will improve readability.
| To report a new vulnerability, please submit a Github security Security Advisory report. | |
| To report a new vulnerability, please submit a Github Security Advisory report. |
3 participants
No description provided.