Create Security Policy #156
Conversation
|
Hey! This issue/PR has been idle for quite some time. Do you plan on considering these changes? If not, I'll probably wait up to 2 more months and close the issue. Thanks! |
|
Hello. This PR got lost under a long backlog. Although I'm the maintainer of |
|
Hey @zesterer! Yep, Github documentation states that "Anyone with admin permissions to a repository can see, review, and manage privately-reported vulnerabilities for the repository.", so you as a maintainer would be able to see it and would probably be notified as well. Does that answer your question? |
|
It does, yes. Thank you. |
|
Hey @zesterer, although the PR was merged, I think you haven't yet enabled the github's feature of Private Vulnerability Report, have you? If not, please follow the instructions I sent here and enable it. When this feature is not enabled, the link pointed on your Security Policy will lead to Not Found :/ |
Closes #155
I've created the SECURITY.md file following a GitHub's template and considering that you'd request that users report vulnerabilities through security advisory, which is a handy new GitHub feature, but it's still in beta and has to be manually enabled by a maintainer.
If you're interested in this feature, you can activate it following this steps:
However, if you'd rather not use this feature, you can also request users to report vulnerabilities to an email. If that's the case, let me know which email you would like to receive the reports and I can submit the change.
Additionally, feel free to edit or suggest any changes to this document, it is supposed to reflect the amount of effort the team can offer to handle vulnerabilities.