Security disclosure information #21

Waterdrips · 2021-05-29T08:09:46Z

We need to create a process for individuals to be able to disclose security vulnerabilities responsibly.

I suggest:

We create a "SECURITY.md" file with contact information of one/some people here who will be designated security contact.
Add information to our README/Contributing guide as to how to disclose security issues (not open issues/PRs without contacting security etc)
Discuses/publish our security patch processes and any backporting we intecnd to do (set the library users expectations)

Waterdrips · 2021-05-29T08:10:28Z

There are also some things we can enable on the repository like dependabot and some stuff in the "security" tab

mfridman · 2021-07-28T18:36:15Z

There are also some things we can enable on the repository like dependabot and some stuff in the "security" tab

I enabled the Dependabot.

I'll look into the code scanning, probably using Snyk or the native GitHub feature (CodeQL Analysis). Unless there is a preference for another tool?

mfridman · 2021-09-03T18:06:18Z

Going to setup CodeQL Analysis by GitHub

mfridman mentioned this issue Feb 25, 2022

Create SECURITY.md #171

Merged

mfridman closed this as completed in #171 May 28, 2022

Provide feedback