-
-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security reports #392
Comments
Let's try the github one and see how it goes. They say "route to the repository owner" so maybe this can even work better for us. |
See also the SECURITY.md to add to the .github repo: https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file |
I've looked at this a little and it seems like it might be a bit complicated for our purposes.
This with the nix-community admin email seems like the easiest option for initial reporting. Opened nix-community/.github#3, modified slightly from the Numtide security.md. |
https://nixos.org/community/teams/security.html
Like the nixos org I suppose we should have a method and some sort of policy for reporting potential security issues with the infra and repos that don't already have their own security reporting or aren't responsive.
Easiest may be taking reports via github itself:
Private vulnerability reporting (beta)
Guess an alternative could be encrypted email but we'd probably want a dedicated address that gets forwarded to everyone rather than it potentially being sent directly to one person who isn't responsive.
The text was updated successfully, but these errors were encountered: