Create s Security Policy

[joycebrum]

Description

Closes #4670

I've created the SECURITY.md file considering the report vulnerability through security advisory, which is a new github feature.

If you're interested in GitHub's feature, it must be activated for the repository:

1. Open the repo's settings
2. Click on Code security & analysis
3. Click "Enable" for "Private vulnerability reporting (Beta)"

If you rather not enable it there is also the possibility to receive the vulnerability report through an email, in this case just let me know which email it would be and I'll submit the change.

Besides that, feel free to edit or suggest any changes to this document, it is supposed to reflect the amount of effort the team can offer to handle vulnerabilities.

[joycebrum]

Not sure how to fix Format check, should I add .md file anywhere in here https://github.com/pybind/pybind11/blob/master/.pre-commit-config.yaml ?

[rwgk]

Not sure how to fix Format check, should I add .md file anywhere in here https://github.com/pybind/pybind11/blob/master/.pre-commit-config.yaml ?

That particular error can probably be fixed by adding the new filename in tests/extra_python_package/test_files.py

I'm not sure about:

0. Could it be better to move the new file to the .github directory?
1. If we also should add it to other lists, e.g. everywhere README.rst appears (below).

MANIFEST.in:include LICENSE README.rst pyproject.toml setup.py setup.cfg
docs/conf.py: with open(DIR.parent / "README.rst") as f:
setup.cfg:long_description = file: README.rst
tests/extra_python_package/test_files.py: "README.rst",

[joycebrum]

Could it be better to move the new file to the .github directory?

As far as I've seen the SECURITY.md file is always placed in the root of the project but I couldn't find any official document arguing about that so I'd say it is up to us to decide.

But considering that it seems that the standard place to it is in the root folder and that the Security Policy is supposed to be "easy to find" I'd say the best option is to keep it in the root folder.

But let me know if you disagree with that and I can change it to .github folder.

[rwgk]

But considering that it seems that the standard place

Sounds good to me.

[rwgk]

You can ignore this failure, it's a very frequent flake:

CI / 🐍 pypy-3.7 • windows-2022 • x64 (pull_request) Failing after 7m

You can basically ignore all PyPy and test_iostream failures if you see them in future CI runs.

[rwgk]

Thanks Joyce!

I looked around a bit to see if we may have to include the new filename elsewhere, but came out convinced that this PR captures everything we need.

[rwgk]

Thanks Joyce!

I looked around a bit to see if we may have to include the new filename elsewhere, but came out convinced that this PR captures everything we need.

[rwgk]

Thanks Joyce!

I looked around a bit to see if we may have to include the new filename elsewhere, but came out convinced that this PR captures everything we need.

[rwgk]

I removed the needs changelog label, because nothing really changed in pybind11 itself. If someone feels we should have this in the changelog, please add back the label and update the PR description.

[joycebrum]

If you're interested in GitHub's feature, it must be activated for the repository:

1. Open the repo's settings
2. Click on Code security & analysis
3. Click "Enable" for "Private vulnerability reporting (Beta)"

@rwgk please remember to enable the Vulnerability Through Security Advisory feature, otherwise the link https://github.com/pybind/pybind11/security/advisories/new won't work.

Thanks!

[rwgk]

If you're interested in GitHub's feature, it must be activated for the repository:

1. Open the repo's settings
2. Click on Code security & analysis
3. Click "Enable" for "Private vulnerability reporting (Beta)"

@rwgk please remember to enable the Vulnerability Through Security Advisory feature, otherwise the link https://github.com/pybind/pybind11/security/advisories/new won't work.

Thanks!

@henryiii could you please help? (I think I don't have the required permissions.)