Aarebecca
commented
4 weeks ago Currently, given our project scope, a full SECURITY.md policy may not be essential.
Closed octojedi closed 3 weeks ago
Aarebecca
commented
4 weeks ago Currently, given our project scope, a full SECURITY.md policy may not be essential.
octojedi
commented
4 weeks ago Currently, given our project scope, a full SECURITY.md policy may not be essential.
It doesn't need to be a comprehensive security.md, but a lot of teams use, import, and fork your library. Currently there is no security policy in your github repo to indicate how someone would report a security vulnerability, that you acknowledge the vulnerability by issuing a CVE, and the expectation for users of your Open Source library of remediation. Without this, third party scanners can not alert users of your library as a dependency of any security issues.
Is security essential for your project?
Request for maintainer to create and publish security.md and security policy. In order to see security vulnerabilities, CVEs, and fixes, please publish a security policy with information on how to submit vulnerabilities, how to track CVEs and what users can expect in terms of remediation of vulnerabilities.