-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add a SECURITY.md file? #15
Comments
One thing we're missing is to decide on a place to publish advisories for these repos. For the SDK, we use GitHub. |
For dart-lang, my recommendation would be to use per-repo GitHub advisories across the board (until something better comes along). |
Perhaps something like this (the relative link should work when the SECURITY.md is displayed): ## Reporting vulnerabilities
To report potential vulnerabilities, please see our security policy on
[https://dart.dev/security](https://dart.dev/security).
## Published security advisories
For advisories published for in this repository, see
[security advisories](../../security/advisories?state=published). I'm a bit unsure if the relative link will work well for both https://github.com/dart-lang/sdk/security/policy and https://github.com/dart-lang/sdk/blob/main/SECURITY.md, though. There also doesn't seem to be a page we can link to that lists all security advisories for dart-lang. |
I think we should have a deeper discussion of where advisories should be published before we go ahead with this. |
We may want to consider writing a generic SECURITY.md file that applies to all the projects in dart-lang. This way it can be added to https://github.com/dart-lang/.github/ and it will be automatically applied to all the projects. |
If we add a SECURITY.md file here, I believe that all the dart-lang/ repos - that don't have their own security files - will inherit this one.
See the recent github blog about this here:
https://github.blog/2022-02-09-coordinated-vulnerability-disclosure-cvd-open-source-projects/
And, the SECURITY.md file we use for the dart-lang/sdk repo: https://github.com/dart-lang/sdk/blob/main/SECURITY.md.
cc @athomas @mit-mit @kevmoo
The text was updated successfully, but these errors were encountered: