From 3525c91ec8d0bfab0433af5aee0a80850bae8b5b Mon Sep 17 00:00:00 2001 From: hannahwestra25 Date: Thu, 16 Jul 2026 16:53:14 -0400 Subject: [PATCH 1/3] DOC Add security release review process Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: 485d2633-734b-4ee0-a849-f9adeaf3a9bd --- README.md | 2 ++ doc/contributing/10_release_process.md | 35 +++++++++++++++++++ doc/myst.yml | 1 + doc/security.md | 14 ++++++++ .../components/Sidebar/Navigation.test.tsx | 9 +++++ .../src/components/Sidebar/Navigation.tsx | 12 +++++++ 6 files changed, 73 insertions(+) create mode 100644 doc/security.md diff --git a/README.md b/README.md index f2e92c90cc..c205721f23 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,8 @@ identify risks in generative AI systems. - Check out our [website](https://microsoft.github.io/PyRIT/) for more information about how to use, install, or contribute to PyRIT. +- Review our [security policy](https://github.com/microsoft/PyRIT/security/policy) + to report vulnerabilities privately through the Microsoft Security Response Center. - Visit our [Discord server](https://discord.gg/9fMpq3tc8u) to chat with the team and community. ## Trademarks and Citations diff --git a/doc/contributing/10_release_process.md b/doc/contributing/10_release_process.md index 4637b9b5cd..31ff406cbc 100644 --- a/doc/contributing/10_release_process.md +++ b/doc/contributing/10_release_process.md @@ -11,6 +11,11 @@ Follow the instructions according to the order provided. Before starting the release process, verify the codebase is in a healthy state. +- **Create the release review record.** Create a durable release work item that identifies the release owner and links to the content and UI under review. Keep reviewer names, review dates, decisions, high-priority findings, their resolution or documented disposition, and links to approval evidence in this record. Link the record from the release PR or GitHub release. Do not put embargoed vulnerability details in a public record. +- **Complete milestone reviews.** For every external-facing release, record reviews at these designated milestones: + - **Scope freeze:** Development, content publishing, user experience, and security reviewers assess the planned customer-facing changes and identify security or compatibility risks. + - **Release candidate:** Content publishing and user experience reviewers verify the release notes, documentation, and UI after technical review feedback has been incorporated. Security reviewers confirm that high-priority security findings are resolved or have an approved, customer-safe disclosure and disposition. + - **Final pre-release review:** Immediately before publishing, repeat the security review of the final artifacts and collect explicit approval from development, content publishing, security, and user experience owners. A reviewer may mark a discipline not applicable only with a rationale in the release record. - **Check for pending changes.** Ask other PyRIT maintainers whether they have any in-flight changes that should land before the release. - **Verify build pipelines.** Confirm that all integration tests and end-to-end tests are passing in the CI pipelines. If any tests are failing, fix them before proceeding. - **Partner integration tests.** Ensure the partner integration tests are also passing. These tests validate that we are not breaking contracts with partner teams (e.g., Foundry). If any are failing, coordinate with the affected partner teams before proceeding with the release. @@ -254,6 +259,16 @@ since `downgrade()` risks data loss. ## 10. Publish to PyPI +Before publishing, complete and retain this checklist in the release review record: + +- [ ] Technical reviews of the final customer-facing content and UI are complete, and all high-priority feedback is resolved or has an approved disposition. +- [ ] Security, content publishing, and user experience milestone reviews are recorded. +- [ ] The final development, content publishing, security, and user experience approvals are recorded with reviewer names and dates. +- [ ] Release notes contain the required security and compatibility disclosures described in step 12, including explicit "None known" statements where applicable. +- [ ] Links to review evidence and the final approved artifacts are retained in the release record. + +Do not publish the package until every item is complete. + Create an account on pypi.org if you don't have one yet. Ask one of the other maintainers to add you to the `pyrit` project on PyPI. @@ -295,6 +310,26 @@ changes that users should be aware of. The shorter section will be under "## Wha while the full list of changes will be right below. Maintenance changes, build pipeline updates, and documentation fixes are not really important for users. However, important bug fixes, new features, and breaking changes are good candidates to include. +Every release must also include these customer-facing sections before "## Full list of changes": + +```markdown +## Security + +Describe security fixes and any known high-priority security issues that customers +must consider, including affected versions and recommended actions. If there are no +known issues to disclose, write "No known high-priority security issues." + +## Breaking changes and compatibility + +Describe breaking changes, backward-compatibility issues, affected versions, and +migration or mitigation steps. If there are none, write "No known breaking changes +or backward-compatibility issues." +``` + +Coordinate the wording of non-public or embargoed security issues with the security +reviewer and MSRC. Never disclose sensitive vulnerability details before the approved +publication date. Confirm in the release review record that these sections match the +final reviewed content and UI. If you are unsure about whether to include certain changes please consult with your fellow maintainers. When you're done, hit "Publish release" and mark it as the latest release. diff --git a/doc/myst.yml b/doc/myst.yml index 374ac62039..5b192d30b0 100644 --- a/doc/myst.yml +++ b/doc/myst.yml @@ -39,6 +39,7 @@ project: - "https://www.youtube.com/watch?v=jq9DcEL3cHE" toc: - file: index.md + - file: security.md - file: getting_started/README.md children: - file: getting_started/install.md diff --git a/doc/security.md b/doc/security.md new file mode 100644 index 0000000000..7182ec913a --- /dev/null +++ b/doc/security.md @@ -0,0 +1,14 @@ +# Security + +Microsoft takes the security of PyRIT seriously. + +If you believe you have found a security vulnerability, **do not report it through a +public GitHub issue**. Submit it privately to the +[Microsoft Security Response Center](https://aka.ms/security.md/msrc/create-report). +The repository's [security policy](https://github.com/microsoft/PyRIT/security/policy) +describes alternative reporting methods, the information to include, and Microsoft's +coordinated vulnerability disclosure policy. + +Review the [PyRIT release notes](https://github.com/microsoft/PyRIT/releases) for +customer-facing security notices, known high-priority security issues, breaking +changes, and compatibility guidance for each release. diff --git a/frontend/src/components/Sidebar/Navigation.test.tsx b/frontend/src/components/Sidebar/Navigation.test.tsx index e25de60a5f..25a4ad45d6 100644 --- a/frontend/src/components/Sidebar/Navigation.test.tsx +++ b/frontend/src/components/Sidebar/Navigation.test.tsx @@ -96,6 +96,15 @@ describe("Navigation", () => { expect(onOpenFeedback).toHaveBeenCalledTimes(1); }); + it("links to the public security policy", () => { + renderWithProvider(); + + expect(screen.getByRole("link", { name: "Security" })).toHaveAttribute( + "href", + "https://github.com/microsoft/PyRIT/security/policy" + ); + }); + it("calls onNavigate with 'history' when history button is clicked", async () => { const user = userEvent.setup(); const onNavigate = jest.fn(); diff --git a/frontend/src/components/Sidebar/Navigation.tsx b/frontend/src/components/Sidebar/Navigation.tsx index cf4a1dfc63..12ad9dd133 100644 --- a/frontend/src/components/Sidebar/Navigation.tsx +++ b/frontend/src/components/Sidebar/Navigation.tsx @@ -13,6 +13,7 @@ import { SettingsRegular, HistoryRegular, PersonFeedbackRegular, + OpenRegular, WeatherMoonRegular, WeatherSunnyRegular, } from '@fluentui/react-icons' @@ -106,6 +107,17 @@ export default function Navigation({ currentView, onNavigate, onOpenFeedback }: aria-label="Feedback" onClick={onOpenFeedback} /> +