Description
Is your feature request related to a problem? Please describe.
Someone who's found a security vulnerability should be able to report it privately, allowing a patch to be released and giving users time to update before the vulnerability can be exploited.
Describe the solution you'd like
JsonCpp should have a security policy (usually titled SECURITY.md) letting anyone with a suspected vulnerability get in touch and work with maintainers out of the public eye. GitHub recommends that projects have such a policy.
The security policy can be found by users who enter the project's "Security" panel. A new issue "type" will be added to the "New issue" window pointing users to the policy if they've found a vulnerability.
Additional context
There are two main ways to receive disclosures:
- register an email or website available to receive such reports; and/or
- use GitHub's private vulnerability reporting
If you want to use GitHub's reporting system, it must be activated for the repository:
- Open the repo's settings
- Click on Code security & analysis
- Click "Enable" for "Private vulnerability reporting"
I'll send a PR with a draft policy along with this issue. Another option would be to create a https://github.com/open-source-parsers/.github repository and adding the SECURITY.md there. This would make the policy available to all of the org's repositories.
Disclosure
My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.