-
Notifications
You must be signed in to change notification settings - Fork 328
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a security policy file #149
Comments
@malfet PTAL |
PyTorch project have moved to Linux Foundation, but other projects haven't. Adding separate security.md sounds reasonable to me, and also enable security vulnerabilities reporting for the project. |
Ah, was it only pytorch/pytorch that moved to the LF? I thought it was the entire org. If so, would you like me to send a PR to set cpuinfo's security policy? Alternatively, you could create a https://github.com/pytorch/.github repository. Adding the security policy there will make it available to all projects under the pytorch org. Any repos that need a different policy can add it to the repo and it will take precedence over the "default" policy. |
Hey, just a quick bump here. Would there be interest in a PR with a draft security policy? If yes, should it point to Facebook's bug-bounty program or has cpuinfo also moved to the Linux Foundation? If not, feel free to close! |
I've noticed that CONTRIBUTING.md points users to Facebook's bug-bounty program in case any security vulnerabilities are found in the project. Is that still the proper venue after PyTorch migrated to the Linux Foundation?
Regardless, having this information on a separate SECURITY.md file makes it much more visible for users. It'll be front and center for users who enter the project's "Security" panel, and they'll also see references to the policy in the "New issue" page.
If there's interest, I'd be happy to submit a PR with a draft policy (based on CONTRIBUTING.md or with any new information).
Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.
The text was updated successfully, but these errors were encountered: