Security Overview for Contributors - magma/magma GitHub Wiki

Getting Started

If you need to report a weakness and are not a Magma contributor, use the method documented in the Security tab.

If you are a potential contributor on security but don't yet have an established reputation, first make yourself useful in other ways, like good first issues or good intern projects.

If you are ready to contribute to security, start by getting access to the security repo and Slack channel.

Security repo: https://github.com/magma/security/
Slack channel: https://magmacore.slack.com/archives/C03477H8FK4

To request access, you can ask around on Slack, post an issue in the regular repo, ping Lucas Gonze on GitHub, or email [email protected].

Before adding or updating an action, familiarize yourself with Secure Use of Github Actions.

Additional Resources

To organize tickets using a board, use the Security project.

To work on upstream vulnerabilities, use Dependabot alerts on the magma/magma repo. If you need access to that, ask an admin on the magma/magma repo.