Create a Security Policy #3356
Create a Security Policy #3356
Conversation
|
Thanks for the PR. Considering that we have limited resources, everything is a best effort. We will still prioritize security-related issues but I'd rather not create any expectations that we cannot meet. I enabled private vulnerability reporting which I think is sufficient for now. |
|
@vitaut I've updated the document to be a best effort bases (https://github.com/joycebrum/fmt/blob/master-1/SECURITY.md). The Security Policy file is more about explaining the user what they should do when finding a vulnerability and what they should expect. Since the expectation is best effort bases, there is no problem to disclose it on the SECURITY.md (this is actually very common among open sources). |
|
This looks reasonable but I don't think we need a top-level file for this. I suggest adding a section to the readme. |
Closes #3355
I’ve created the
SECURITY.mdfile considering the report vulnerability through security advisory, which is a new github feature still in beta and that has to be enabled.If you rather not enabling it there is also the possibility to receive the vulnerability report through an email, in this case just let me know which email it would be and I’ll submit the change.
Besides that feel free to edit or suggest any changes to this document, it is supposed to reflect the amount of effort the team can offer to handle vulnerabilities.