Cover Security in the standard files #13
Comments
|
Thanks @hyandell - this is a bit out of my wheelhouse. Here is Microsoft's standard security reporting. But that feels a bit heavyweight from my perspective (24 hour SLA, etc.). Thoughts on how to handle? How is this typically handled outside of large companies? |
|
I asked around at OpenSSF on the topic. Some interesting things there that could lead to a good default text. https://github.com/cncf/tag-security/tree/main/project-resources is one suggestion to consider; though I think the wg_identifying_security_threats group at OpenSSF may produce something more canonical. |
|
Noting that our security solution should leverage this beta feature from GitHub: https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability. Leaving open to address once feature clears beta. |
I propose that the default files cover Security. Be it as text in the CONTRIBUTING.md, or via a SECURITY.md file. Ideally both, with the SECURITY.md going into the org's template directory.
Like the CoC, the security file will need some kind of unusual contact address.
The text was updated successfully, but these errors were encountered: