Add SECURITY.md files to repos? #16
Comments
|
Sounds good. We probably also need to enable the "private vulnerability reporting" feature. As for supported versions, I don't think we should list the exact versions, only state that we maintain the current versions and that patches to older releases may be applied depending on issue severity and how widely the version in question is used. |
|
Yeah, it's mostly about having a policy for what versions are supported. We already have tables which list the latest releases in the toplevel README.md of each repo. We can probably just point to that. |
|
There's a proposed SECURITY.md here we could adopt: RustCrypto/utils#855 |
|
That PR has been merged, so we should consider propagating it to other repos, but also taking care to enable GitHub's private disclosure (beta) feature for each repo as well |
|
I've taken care of the major repos for this. There may be a few stragglers, but we can address them as they come up. |
SECURITY.md is commonly used to describe security policies for projects, including what versions are currently maintained, points of contact for private disclosure, and what kinds of bugs should be disclosed publicly vs privately.
I think it would be good to come up with a template we can use for all repos and then add them.
WDYT? cc @newpavlov
The text was updated successfully, but these errors were encountered: