Security policy? #7
Closed
DanHeidinga
started this conversation in
General
Replies: 2 comments
-
|
I have one drafted (pushed): https://github.com/commonhaus/foundation-draft/blob/main/SECURITY.md This is more of a .. "please use confidential reporting mechanisms built into tools" initial focus, rather than a "how can we as a collection of projects work together to improve how Java security issues are resolved in our libraries (in a way that does not equate to another procedure defining working group)" |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Thanks Erin. I agree this provides the necessary guidance to projects / reporters. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Does the Foundation need a security policy? Just as it requires projects to have a CoC, it would make sense to require projects to have a policy for how they handle security bugs and reporting of CVE fixes in each release.
I'd expect an escalation path / default option of reporting to the foundation until a project get's its own policy in place just as CoC violations are handled.
There's probably more to spell out here - worth checking the Apache, Eclipse, Linux foundations for how they approach this.
Beta Was this translation helpful? Give feedback.
All reactions