-
The purpose of this guide section is to help maintainers generate and maintain VDP Policies using the provided templates below. This includes a section-by-section explanation of the current contents o…
-
**Note** This issue is about _outgoing_ vulnerability reports discovered and needing to be disclosed by Alpha Omega staff, as well as other representatives of the Open Source Security Foundation. Not …
-
I'm noticing that none of the policies currently listed have `disclosure_timeline_days` set. However, it's a requirement if `co-ordinated` is set. This seems like overly restrictive for a org declarin…
-
We need to document what the inbound and outbound vulnerability management process is.
* Comparable from CCC: [governance/security-response-policies.md at main · confidential-computing/governance (…
-
In order to comply with the [Github community standards](https://github.com/tlentali/pycht/community), we should add the following text to a `SECURITY.md` file in the root of the project :
```text…
-
**Idea:** Publish an org-level security policy for OpenSSF repositories, projects, services, and infrastructure.
### Proposal
- [Open Source Security Foundation Inbound Vulnerability Reporting P…
-
https://securitytxt.org/
TL;DR: security.txt for reporting security issues, like robots.txt for telling web robots how to behave.
Example file:
`# Our security address`
`Contact: security@ex…
-
Hi, I am a security researcher and I've found an issue in the latest version of ProjectPier (0.8.8). I'd like to coordinate disclosure of the vulnerability with a point-of-contact on the team. Alter…
-
**Is your feature request related to a problem? Please describe.**
Some organizations have both a policy on what to do when they receive a report (bug bounty policy) and a separate policy on what the…
-
@yegor256, similar to what one finds in companies doing in https://www.hackerone.com/ I suggest we define a bug bounty program for both Zold and the web wallets projects.
Here's more detail of what…