docs(security): add initial security policy #1181
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Josef Andersson <[email protected]>
janderssonse
force-pushed
the
fix/add-security-policy
branch
from
c42b512 to
1309a4f
Compare
|
This looks good to me overall. If you wrote it, then you are the author, though, not the FSFE. I will clarify some of the details here and get back to you. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds a SECURITY.md file, battle tested in other projects and orgs, (the construct is CC0 ie public domain, for example from here https://raw.githubusercontent.com/itiquette/git-provider-sync/refs/heads/main/SECURITY.md so just reuse)
A SECURITY.md would help anyone assessing the project for use, give a hint of how it handles critical no public security issues, and give anyone a clear instruction on how to report them non public.
IE, for someone thinking about using reuse-tool in an organization or privately it would give an extra trust factor.
This policy basically says "send your findings, and we will see if we handle them, we will notify you".
Besides, being a good FOSS practice, makes the project look more professional and it is heavily supported by GitHub https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file etc as one of the community health files, so it will pop up automatically in the UI for the end user.
Examples:
Security Tab in project front will be added automatically
Security Policy in the top right corner of UI will be added automatically
Security Policy under Security Overview for the project will have the Security Policy green and enabled.
NOTE: there is a <...> in the text, where the preferred channel for reporting should be added I left that for you, (or tell me what to add there, and I'll rebase with that).
NOTE: I had this in multiple orgs and projects over the years. Only once I had a report, so
the current specification.
changed files.