Project Security Governance

[Happycoil]

Hi,

Does this project have documentation on its approach to handling CVEs in its dependencies and other supply chain related security topics? How are vulnerabilities detected and patched, and how will consumers of the project know if there are critical patches available?

[moolen]

Hey @Happycoil, we're using dependabot to keep our app-dependencies up to date. We do not have a full-blown Security Governance process defined, yet. Do you have any requirements that stop you from using this project? If yes i'd love to help with it.

how will consumers of the project know if there are critical patches available

We provide releases and release-notes. It's up to the user to evaluate the risk of applying or not applying software updates and to apply additional compliance checks. Every company has different compliance checks or other security-related guard rails and we can not fully centralize them here. Tho we're certainly open to suggestions

[Happycoil]

No specific requirement as such, but to feel comfortable using third party software to transport secrets from a trusted source to my workloads I'd expect some level of intentional hunting of vulnerabilities and a method for responsible disclosure. I'd like to know if a critical link in the security chain is doing its best to keep its own supply chain secure, basically.