Andrea has requested that DataHero be granted access to the github mozilla org (github.com/mozilla) "Granting access will give this application the ability to access private data in the mozilla organization. " Please review what data would be made available to DataHero, what security practices DataHero employs to protect this data (this may involve a vendor security review) https://github.com/orgs/mozilla/policies/applications/40563
hey there, i am just curious about this software and they offered a 14-day trial. I am just kicking tires. I can already see what i need to see in order to evaluate the software. I only need it to be able to access MozillaFoundation/Advocacy. Does that help?
:andreawood, Sounds good. If you're looking to use it on https://github.com/MozillaFoundation/Advocacy then I think you may have tried to enable it on the wrong GitHub organization because the request game in on https://github.com/mozilla not https://github.com/MozillaFoundation If that's the case, since https://github.com/MozillaFoundation/Advocacy is a public repo, you may be able to just add it to the MozillaFoundation github org, deny it's access to private content and it should still work. If that doesn't work and it indeed requires access to private data and because it's a tool which operates on a GitHub Organization-wide level (not a repo level) we should review what that data is (in the MozillaFoundation org) and how DataHero handles it before granting them access to it.
OK -- Right now it is only pulling data from MozillaFoundation/Advocacy. I'm not sure why / how it sent a request to other repos. Might be a bug on their end, honestly. Here's a screengrab: https://www.evernote.com/l/AMpKddBKvO1Nt5zFfrTDfMMk-1Rg_Mi9XzU So perhaps we can close this bug?
Maybe Hal can help figure this out (as he's and admin of both orgs). Hal, any idea what's going on here. In the MozillaFoundation org do you see DataHero as an approved third party provider? If so, then maybe the request to the "Mozilla" org was just a mistake and the right one went to MozillaFoundation (and somebody approved it potentially, I don't have a view). If it is now an approved third party site in the MozillaFoundation org, we should still review it since the access it would have is not repo specific but instead applies to the whole org.
Assignee: jbryner → gene
(In reply to Gene Wood [:gene] from comment #4) > Maybe Hal can help figure this out (as he's and admin of both orgs). Actually, I'm not -- I have no idea who is. 'MozillaFoundation' isn't even listed at: https://wiki.mozilla.org/Github#Is_.22mozilla.22_the_only_github_.22organization.22_related_to_Mozilla.3F I'll see if I can get that information via email. > Hal, > any idea what's going on here? No idea -- the Advocacy repo doesn't exist in the 'mozilla' organization, yet the email clearly mentions the mozilla org.
I added Chris De Cairos from the Foundation who can probably help answer some of these Qs.
:cade aha, good idea. That would make sense (regarding why the request went to the "mozilla" org. That aside though, regardless of which github org we're talking about, if it's one that Mozilla (moco or mofo) is responsible for, we (infosec) should review the private data that's present in the github ord ("MozillaFoundation" in this case) and the vendor practices of DataHero to ensure that it's safe. :cade is your intent to grant access to DataHero for the MozillaFoundation org? If so we really should review the data and the vendor first for security.
i wasn't planning on allowing it just yet. The MozillaFoundation org has six private repos, five which don't seem to be very active right now, and one that we use to collaborate on security bugs and on other User data related tasks. I'm always game for a proper RRA and vendor review
It was only a trial. I don't believe it made any subsequent request for data after the initial pull from my repo. There's no further action needed, you can deny access to DataHero for now. If we decide to use it I will talk to Chris first to make sure I don't break anything. thanks all
I don't think this bug is actionable at this point, and certainly not by me. :) Gene - you probably want to close.
Assignee: hwine → nobody
Status: ASSIGNED → NEW
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.