Determining what our security policy should be for our repository

[francisfuzz]

Summary

Open Source Guides shares a number of recommended community standards, including adding a security policy.

I think it would be great if we can consider adding a real SECURITY.md file that gives people instructions for reporting security vulnerabilities in our project, if/when ever they should come up.

---

cc: @gr2m for triage 🎫

[gr2m]

I agree, we should do that. I have no strong opinion on the process. Do you have a preference?
GitHub has a process for that now https://github.com/copilot-extensions/preview-sdk.js/security/policy

[francisfuzz]

@gr2m - No hard preference. That will open up a new template to create a SECURITY.md but the actual details are left up to us. 😅

I wonder if there's another repo in the github org that has reusable content for us. 💭

[gr2m]

Maybe we can utilize the "Private vulnerability reporting" feature, and link to that from SECURITY.md?

[francisfuzz]

Maybe we can utilize the "Private vulnerability reporting" feature, and link to that from SECURITY.md?

@gr2m Makes sense! Reading the docs:

Owners and administrators of public repositories can enable private vulnerability reporting on their repositories.

I don't have those privileges; if/when you choose to enable it, I can link to it from the SECURITY.md (along with said GitHub Docs reference so folks can read more). 👍

[francisfuzz]

Cut a draft PR to get the ball rolling: #92

[github-actions]

🎉 This issue has been resolved in version 5.0.0 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀