You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Someone who's found a security vulnerability should be able to report it privately, allowing a patch to be released and giving users time to update before the vulnerability can be exploited.
Describe the solution you'd like
JsonCpp should have a security policy (usually titled SECURITY.md) letting anyone with a suspected vulnerability get in touch and work with maintainers out of the public eye. GitHub recommends that projects have such a policy.
The security policy can be found by users who enter the project's "Security" panel. A new issue "type" will be added to the "New issue" window pointing users to the policy if they've found a vulnerability.
Additional context
There are two main ways to receive disclosures:
register an email or website available to receive such reports; and/or
Click "Enable" for "Private vulnerability reporting"
I'll send a PR with a draft policy along with this issue. Another option would be to create a https://github.com/open-source-parsers/.github repository and adding the SECURITY.md there. This would make the policy available to all of the org's repositories.
Disclosure
My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
Someone who's found a security vulnerability should be able to report it privately, allowing a patch to be released and giving users time to update before the vulnerability can be exploited.
Describe the solution you'd like
JsonCpp should have a security policy (usually titled SECURITY.md) letting anyone with a suspected vulnerability get in touch and work with maintainers out of the public eye. GitHub recommends that projects have such a policy.
The security policy can be found by users who enter the project's "Security" panel. A new issue "type" will be added to the "New issue" window pointing users to the policy if they've found a vulnerability.
Additional context
There are two main ways to receive disclosures:
If you want to use GitHub's reporting system, it must be activated for the repository:
I'll send a PR with a draft policy along with this issue. Another option would be to create a https://github.com/open-source-parsers/.github repository and adding the SECURITY.md there. This would make the policy available to all of the org's repositories.
Disclosure
My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.
The text was updated successfully, but these errors were encountered: