chore(security): flesh out security policy (vectordotdev#1642)

Signed-off-by: Luke Steensen <[email protected]>
Signed-off-by: binarylogic <[email protected]>

.meta/links.toml

@@ -38,6 +38,7 @@ aws_s3_regions = "https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_re
 aws_s3_service_limits = "https://docs.aws.amazon.com/streams/latest/dev/service-sizes-and-limits.html"
 basic_auth = "https://en.wikipedia.org/wiki/Basic_access_authentication"
 big_query_streaming = "https://cloud.google.com/bigquery/streaming-data-into-bigquery"
+cargo_audit = "https://github.com/RustSec/cargo-audit"
 cgroups_limit_resources = "https://the.binbashtheory.com/control-resources-cgroups/"
 clickhouse = "https://clickhouse.yandex/"
 clickhouse_http = "https://clickhouse.yandex/docs/en/interfaces/http/"
@@ -68,6 +69,9 @@ gcp_projects = "https://cloud.google.com/resource-manager/docs/creating-managing
 gcp_resources = "https://cloud.google.com/monitoring/api/resources"
 gcp_stackdriver_logging = "https://cloud.google.com/logging/docs/reference/v2/rest/"
 gcp_stackdriver_logging_rest = "https://cloud.google.com/logging/"
+git = "https://git-scm.com/"
+github_protected_branches = "https://help.github.com/en/github/administering-a-repository/about-protected-branches"
+github_sign_commits = "https://help.github.com/en/github/authenticating-to-github/signing-commits"
 globbing = "https://en.wikipedia.org/wiki/Glob_(programming)"
 grok = "http://grokdebug.herokuapp.com/"
 grok_debugger = "http://grokdebug.herokuapp.com/"
@@ -137,6 +141,7 @@ rust = "https://www.rust-lang.org/"
 rust_date_time = "https://docs.rs/chrono/0.4.0/chrono/struct.DateTime.html"
 rust_grok_library = "https://github.com/daschl/grok"
 rust_regex_syntax = "https://docs.rs/regex/1.1.7/regex/#syntax"
+rust_sec = "https://rustsec.org/"
 rust_subprocess = "https://docs.rs/subprocess"
 rust_target_triples  = "https://forge.rust-lang.org/platform-support.html"
 rust_tier_1_platform = "https://forge.rust-lang.org/release/platform-support.html#tier-1"
@@ -160,7 +165,6 @@ syslog_3164 = "https://tools.ietf.org/html/rfc3164"
 syslog_5424 = "https://tools.ietf.org/html/rfc5424"
 systemd = "https://www.freedesktop.org/wiki/Software/systemd/"
 systemd_limit_resources = "https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html"
-test_harness = "https://github.com/timberio/vector-test-harness/"
 toml = "https://github.com/toml-lang/toml"
 toml_array = "https://github.com/toml-lang/toml#array"
 toml_table = "https://github.com/toml-lang/toml#table"
@@ -177,10 +181,13 @@ vector_download = "https://vector.dev/releases/latest/download"
 vector_initd_service = "https://github.com/timberio/vector/blob/master/distribution/init.d/vector"
 vector_issues = "https://github.com/timberio/vector/issues"
 vector_nightly_builds = "http://packages.timber.io/vector/nightly/latest/"
+vector_pull_requests = "https://github.com/timberio/vector/pulls"
 vector_releases = "https://vector.dev/releases/latest"
 vector_repo = "https://github.com/timberio/vector"
 vector_roadmap = "https://github.com/timberio/vector/milestones?direction=asc&sort=due_date&state=open"
+vector_security_policy = "https://github.com/timberio/vector/security/policy"
 vector_systemd_file = "https://github.com/timberio/vector/blob/master/distribution/systemd/vector.service"
+vector_test_harness = "https://github.com/timberio/vector-test-harness/"
 vector_twitter = "https://twitter.com/vectordotdev"
 vector_version_branches = "https://github.com/timberio/vector/branches/all?query=v"
 vector_website = "https://vector.dev"

README.md

@@ -99,7 +99,7 @@ of your observability data with Vector.
 | [TCP to HTTP](https://github.com/timberio/vector-test-harness/tree/master/cases/tcp_to_http_performance) | _**26.7mib/s**_ | n/a | 19.6mib/s | <1mib/s | 2.7mib/s | n/a | n/a |
 | [TCP to TCP](https://github.com/timberio/vector-test-harness/tree/master/cases/tcp_to_tcp_performance) | 69.9mib/s | 5mib/s | 67.1mib/s | 3.9mib/s | 10mib/s | _**70.4mib/s**_ | 7.6mib/s |
 
-To learn more about our performance tests, please see the [Vector test harness][urls.test_harness].
+To learn more about our performance tests, please see the [Vector test harness][urls.vector_test_harness].
 
 
 ## Correctness
@@ -113,7 +113,7 @@ To learn more about our performance tests, please see the [Vector test harness][
 | [Process (SIGHUP)](https://github.com/timberio/vector-test-harness/tree/master/cases/sighup_correctness) | ✅ | ❌ | ❌ | ❌ | ⚠️ | ✅ | ✅ |
 | [JSON (wrapped)](https://github.com/timberio/vector-test-harness/tree/master/cases/wrapped_json_correctness) | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
 
-To learn more about our performance tests, please see the [Vector test harness][urls.test_harness].
+To learn more about our performance tests, please see the [Vector test harness][urls.vector_test_harness].
 
 
 ## Installation
@@ -197,13 +197,13 @@ Or use your own [preferred method][docs.installation].
 [pages.index#performance]: https://vector.dev/#performance
 [urls.mailing_list]: https://vector.dev/community/
 [urls.rust]: https://www.rust-lang.org/
-[urls.test_harness]: https://github.com/timberio/vector-test-harness/
 [urls.v0.7.2]: https://vector.dev/releases/0.7.2/download
 [urls.vector_blog]: https://vector.dev/blog
 [urls.vector_chat]: https://chat.vector.dev
 [urls.vector_community]: https://vector.dev/community
 [urls.vector_releases]: https://vector.dev/releases/latest
 [urls.vector_repo]: https://github.com/timberio/vector
 [urls.vector_roadmap]: https://github.com/timberio/vector/milestones?direction=asc&sort=due_date&state=open
+[urls.vector_test_harness]: https://github.com/timberio/vector-test-harness/
 [urls.vector_twitter]: https://twitter.com/vectordotdev
 [urls.vote_feature]: https://github.com/timberio/vector/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc+label%3A%22Type%3A+New+Feature%22

README.md.erb

@@ -93,7 +93,7 @@ of your observability data with Vector.
 | [TCP to HTTP](https://github.com/timberio/vector-test-harness/tree/master/cases/tcp_to_http_performance) | _**26.7mib/s**_ | n/a | 19.6mib/s | <1mib/s | 2.7mib/s | n/a | n/a |
 | [TCP to TCP](https://github.com/timberio/vector-test-harness/tree/master/cases/tcp_to_tcp_performance) | 69.9mib/s | 5mib/s | 67.1mib/s | 3.9mib/s | 10mib/s | _**70.4mib/s**_ | 7.6mib/s |
 
-To learn more about our performance tests, please see the [Vector test harness][urls.test_harness].
+To learn more about our performance tests, please see the [Vector test harness][urls.vector_test_harness].
 
 
 ## Correctness
@@ -107,7 +107,7 @@ To learn more about our performance tests, please see the [Vector test harness][
 | [Process (SIGHUP)](https://github.com/timberio/vector-test-harness/tree/master/cases/sighup_correctness) | ✅ | ❌ | ❌ | ❌ | ⚠️ | ✅ | ✅ |
 | [JSON (wrapped)](https://github.com/timberio/vector-test-harness/tree/master/cases/wrapped_json_correctness) | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
 
-To learn more about our performance tests, please see the [Vector test harness][urls.test_harness].
+To learn more about our performance tests, please see the [Vector test harness][urls.vector_test_harness].
 
 
 ## Installation

REVIEWING.md

@@ -0,0 +1,91 @@
+# Reviewing
+
+Pull request reviews are required before merging code into Vector. This document
+will outline Vector's pull request review requirements. The following checklist
+should be used for all pull requests:
+
+- [ ] Are you the code owner for the files that have changed? If not, please involve the appropriate code owner(s). (see [Code Owners](#code-owners))
+- [ ] Is the code addressing a single purpose? If not, the pull request should be broken up. (see [Single Purpose](#single-purpose))
+- [ ] Is the code readable and maintainable? If not, suggest ways to improve this. (see [Readability](#readability))
+- [ ] Is the code reasonably tested? If not, tests should be improved. (see [Testing](#testing))
+- [ ] Is code marked as unsafe? If so, verify that this is necessary. (see [Safe Code](#safe-code))
+- [ ] Is backward compatibility broken? If so, can it be avoided or deprecated? (see [Backwards compatibility](#backwards-compatibility))
+- [ ] Have dependencies changed? (see [Dependencies](#dependencies))
+- [ ] Has the code been explicitly reviewed for security issues? Dependencies included. (see [Security](#security))
+- [ ] Is there a risk of performance regressions? If so, have run the [Vector test harness](https://github.com/timberio/vector-test-harness)? (see [Performance Testing](#performance-testing))
+- [ ] Should documentation be adjusted to reflect any of these changes? (see [Documentation](#documentation))
+
+## Backwards Compatibility
+
+## Code Of Conduct
+
+If you have not, please review Vector's [Code of Conduct](CODE_OF_CONDUCT.md)
+to ensure reviews are welcoming, open, and respectful.
+
+## Code Owners
+
+Code owners should be involved in reviews that touch their code. This is
+defined in the [`.github/CODEOWNERS`](.github/CODE_OWNERS) file. Involving code
+owners ensures all context is applied to reviews since they have intimate
+knowledge of the code.
+
+## Dependencies
+
+Dependencies should be _carefully_ selected. Before adding a dependency we
+should ask the following questions:
+
+1. Is the dependency necessary? Can we avoid it?
+2. Is the dependency actively and professionally maintained?
+3. Is the dependency experimental or in the development phase?
+4. How large is the community?
+5. Does this dependency have a history of security vulnerabilities?
+6. Will this affect the portability of Vector?
+7. Does the dependency have a compatible license?
+
+## Documentation
+
+Documentation is incredibly important to Vector, it is a feature and
+differentiator for Vector. Pull requests should not be merged without adequate
+documentation, not should they merged with "TODOs" opened for documentation.
+
+## Performance Testing
+
+Vector currently offers 2 methods for performance testing:
+
+1. Internal benchmarks located in the [`/benches` folder](benches).
+2. A full end-to-end [test harness][urls.vector_test_harness] for complex
+   integration and performance testing.
+
+## Single Concern
+
+Changes in a pull request should address a single concern. This promotes quality
+reviews through focus. If a pull request addresses multiple concerns it should
+be closed and followed up with multiple pull requests addresses each concern
+separately.
+
+## Readability
+
+Code is read more than it is written. Code must be documented
+and readable.
+
+## Safe Code
+
+Unsafe code should be reviewed carefully and avoided if possible. If code is
+marked as unsafe a detailed comment should be added explaining why.
+
+## Security
+
+Security is incredibly important to Vector. Users rely on Vector ship mission
+critical and sensitive data. Please review the code explicitly for security
+issues. See [Vector's Security guide for more info](SECURITY.md).
+
+## Testing
+
+Code should be reasonably tested. Vector does not require 100% test coverage,
+we believe this level of coverage is unnecessary. As a general rule of thumb,
+we strive for 80% coverage, beyond this returns are diminishing. Please use
+your best judgment, some code requires more testing than others depending
+on its importance.
+
+
+[urls.vector_test_harness]: https://github.com/timberio/vector-test-harness/