kenhowardpdx · asears · Jan 5, 2020 · kenhowardpdx · Feb 16, 2020 · asears
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -9,13 +9,31 @@ updated.
 
 # Maintaining
 
+Gist Extension is written using Typescript.  [TypeScript in Visual Studio Code](https://code.visualstudio.com/docs/languages/typescript).
+
+See [Your First Extension](https://code.visualstudio.com/api/get-started/your-first-extension) to learn how to write a VSCode Extension.
+
+
 ## Compiling
 
-There's no need to manually compile. The launch tasks trigger the 'compile' script from the package.json file which continuously watches TypeScript files for changes.
+There's no need to manually compile. The launch tasks trigger the 'compile' script from the package.json file which continuously watches TypeScript files for changes.  
+
+Run the following to restore dependencies.
+
+```sh
+npm install
+```
 
 ## Test
 
-Run the 'Launch Tests' task from the Debug pane (Ctrl+Shift+D) to execute tests.
+Run the 'Launch Tests' task from the Debug pane (Ctrl+Shift+D) to execute tests, or click ▶️ vscode-jest-tests.
+
+Jest is used for tests.
+
+```sh
+npm install --save-dev jest
+```
+
 
 ## Debug
 
@@ -42,4 +60,12 @@ Please be sure to lint and fix any formatting errors before submitting a pull re
 You can fix formatting errors automatically by running:
 ```
 npm run lint -- --fix
+```
+
+## Dependencies
+
+Dependencies may become stale.
+
+```sh
+npm outdated
 ```
diff --git a/README.md b/README.md
@@ -5,7 +5,17 @@
 
 [![Installs](https://vsmarketplacebadge.apphb.com/installs/kenhowardpdx.vscode-gist.svg)](https://marketplace.visualstudio.com/items?itemName=kenhowardpdx.vscode-gist) [![Coverage Status](https://coveralls.io/repos/github/kenhowardpdx/vscode-gist/badge.svg?branch=master)](https://coveralls.io/github/kenhowardpdx/vscode-gist?branch=master)
 
-Access your GitHub Gists within Visual Studio Code. You can add, edit, and delete public and private gists.
+Access your [GitHub Gists](http://gist.github.com/) within [Visual Studio Code](https://code.visualstudio.com/). You can add, edit, and delete public and private gists.
+
+## Security of Github Gists
+
+Treat Gists as public code.  Secret gists aren't necessarily private.  
+If you send the URL of a secret gist to a friend, they'll be able to see it.  
+However, if someone you don't know discovers the URL, they'll also be able to see your gist.  
+
+If you need to keep your code away from prying eyes, you may want to [create a private repository](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/creating-a-new-repository) instead.
+
+Please review the [Security Policy](SECURITY.md).
 
 ## Installation
 
@@ -14,6 +24,8 @@ Select the `Gist Extension` extension from the list.
 
 ## GitHub Profiles
 
+On installation, Gist Extension shows a public feed of gists.  Associate a Github Personal Access Token (PAT) to see only your gists.
+
 _**NOTE:** You must provide a personal access token to be authenticated with GitHub or a GitHub Enterprise instance._
 
 Press <kbd>F1</kbd> and type `select profile` to initialize the profile selector. You can add as many profiles as you would like.
@@ -118,4 +130,5 @@ If you'd like to support Gist, please consider the following &mdash; feel free t
 - [Follow me on Twitter](https://twitter.com/kenhowardpdx "Follow me on Twitter")
 
 ## Maintainer
+
 vscode-gist is maintained by [Ken Howard](https://github.com/kenhowardpdx).
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,83 @@
+# Security Policies and Procedures
+
+This document outlines security procedures and general policies for the `Gist Extension`
+project.
+
+  * [Reporting a Bug](#reporting-a-bug)
+  * [Disclosure Policy](#disclosure-policy)
+  * [Comments on this Policy](#comments-on-this-policy)
+
+## Reporting a Bug
+
+The `Gist Extension` team and community take all security bugs in `Gist Extension` seriously.
+Thank you for improving the security of `Gist Extension`. We appreciate your efforts and
+responsible disclosure and will make every effort to acknowledge your
+contributions.
+
+Report security bugs by direct messaging the lead maintainer at @kenhowardpdx.
+
+The lead maintainer will acknowledge your message within 48 hours, and will send a
+more detailed response within 48 hours indicating the next steps in handling
+your report. After the initial reply to your report, the security team will
+endeavor to keep you informed of the progress towards a fix and full
+announcement, and may ask for additional information or guidance.
+
+Report security bugs in third-party modules to the person or team maintaining
+the module.
+
+## Disclosure Policy
+
+When the security team receives a security bug report, they will assign it to a
+primary handler. This person will coordinate the fix and release process,
+involving the following steps:
+
+  * Confirm the problem and determine the affected versions.
+  * Audit code to find any potential similar problems.
+  * Prepare fixes for all releases still under maintenance. These fixes will be
+    released as fast as possible to npm.
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved please submit a
+pull request.
+
+## Security of Gists
+
+Treat Gists as public code.  Secret gists aren't necessarily private.  
+If you send the URL of a secret gist to a friend, they'll be able to see it.  
+However, if someone you don't know discovers the URL, they'll also be able to see your gist.  
+If you need to keep your code away from prying eyes, you may want to [create a private repository](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/creating-a-new-repository) instead.
+
+## Security History
+
+2020-01-04 - Add security policy.  Dependency issue
+
+* Security issue with package mitigated.
+```sh
++ jest@24.9.0
+updated 1 package and audited 878996 packages in 15.506s
+found 1 high severity vulnerability
+
+  run `npm audit fix` to fix them, or `npm audit` for details
+
+D:\projects\typescript\vscode-gist>npm audit
+
+                       === npm audit security report ===
+
+# Run  npm update https-proxy-agent --depth 3  to resolve 1 vulnerability
+
+  High            Machine-In-The-Middle
+
+  Package         https-proxy-agent
+
+  Dependency of   vscode [dev]
+
+  Path            vscode > vscode-test > https-proxy-agent
+
+  More info       https://npmjs.com/advisories/1184
+
+
+
+found 1 high severity vulnerability in 878996 scanned packages
+  run `npm audit fix` to fix 1 of them.
+```