Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Determining what our security policy should be for our repository #79

Closed
francisfuzz opened this issue Sep 12, 2024 · 6 comments · Fixed by #92
Closed

Determining what our security policy should be for our repository #79

francisfuzz opened this issue Sep 12, 2024 · 6 comments · Fixed by #92

Comments

@francisfuzz
Copy link
Collaborator

Summary

Open Source Guides shares a number of recommended community standards, including adding a security policy.

I think it would be great if we can consider adding a real SECURITY.md file that gives people instructions for reporting security vulnerabilities in our project, if/when ever they should come up.


cc: @gr2m for triage 🎫

@gr2m
Copy link
Collaborator

gr2m commented Sep 12, 2024

I agree, we should do that. I have no strong opinion on the process. Do you have a preference?
GitHub has a process for that now https://github.com/copilot-extensions/preview-sdk.js/security/policy

@francisfuzz
Copy link
Collaborator Author

@gr2m - No hard preference. That will open up a new template to create a SECURITY.md but the actual details are left up to us. 😅

I wonder if there's another repo in the github org that has reusable content for us. 💭

@gr2m
Copy link
Collaborator

gr2m commented Sep 13, 2024

Maybe we can utilize the "Private vulnerability reporting" feature, and link to that from SECURITY.md?

@francisfuzz
Copy link
Collaborator Author

Maybe we can utilize the "Private vulnerability reporting" feature, and link to that from SECURITY.md?

@gr2m Makes sense! Reading the docs:

Owners and administrators of public repositories can enable private vulnerability reporting on their repositories.

I don't have those privileges; if/when you choose to enable it, I can link to it from the SECURITY.md (along with said GitHub Docs reference so folks can read more). 👍

francisfuzz added a commit that referenced this issue Sep 17, 2024
@francisfuzz
Copy link
Collaborator Author

Cut a draft PR to get the ball rolling: #92

@gr2m gr2m closed this as completed in #92 Sep 17, 2024
@gr2m gr2m closed this as completed in cf87d43 Sep 17, 2024
Copy link

🎉 This issue has been resolved in version 5.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants