Add information about where to submit security bugs

WordPress / two-factor

Two-Factor Authentication for WordPress.

https://wordpress.org/plugins/two-factor/

GNU General Public License v2.0

724 stars 151 forks source link

Add information about where to submit security bugs #541

Closed felixarntz closed 1 year ago

felixarntz commented 1 year ago

What?

This adds an FAQ entry for where to file security bugs.

Why?

Per request from the WordPress security team.

How?

The copy used is similar to the one that is already present here in the Gutenberg SECURITY.md file, which was used as a reference.

iandunn commented 1 year ago

Thanks! #481 also added a SECURITY.md, but in .github/ instead of /:

https://github.com/WordPress/two-factor/blob/c0eae28ce5c83d28bdf810dc940f33febe38a0b7/SECURITY.md

https://github.com/WordPress/two-factor/blob/c0eae28ce5c83d28bdf810dc940f33febe38a0b7/.github/SECURITY.md

It sounds like GH supports both locations. I personally prefer .github to reduce clutter, but if all our other repos are using / then the consistency is probably more important.

Any other opinions on which one we should delete?

felixarntz commented 1 year ago

@iandunn Apologies, I wasn't aware of that.

I think having SECURITY.md in the root helps visibility. I have to admit, I didn't even know that GitHub actually does something with these files, and I have never paid attention to see that there's a Security tab on those repos that uses the security policy from that file. 🤦

That may just be me, but maybe other people too. That's why I would personally argue it should be in the root, for better visibility. Furthermore it's common to have other "similar" files like CONTRIBUTING.md at the root level too.

iandunn commented 1 year ago

That WFM 👍🏻