auto-detect .github/SECURITY.md for `vulnerability_report_process`

coreinfrastructure / best-practices-badge

🏆Open Source Security Foundation (OpenSSF) Best Practices Badge (formerly Core Infrastructure Initiative (CII) Best Practices Badge)

https://www.bestpractices.dev

MIT License

1.18k stars 202 forks source link

auto-detect .github/SECURITY.md for `vulnerability_report_process` #2141

Open raboof opened 1 month ago

raboof commented 1 month ago

if a repository-level or org-level (e.g. https://github.com/apache/.github/blob/main/.github/SECURITY.md) .github/SECURITY.md is found that should be sufficient to auto-detect vulnerability_report_process

david-a-wheeler commented 1 month ago

I'd prefer to find a way to be a little more confident than simply "file present". Maybe we can detect an email address or a reference to the GitHub security reporting mechanism? I'm not sure what patterns to look for, any suggestions?

raboof commented 1 month ago

Hmm, I guess we could have a bunch of regexes, like indeed links to the GitHub security reporting mechanism and texts like "report(ing)? a vulnerability", "to report a (new)? vulnerability", and go from there?