This pull request introduces a new security policy. A security policy is necessary because:
it shows to our users that we take security seriously and value reports
it makes it clear to reporters what we expect of them, how we'll handle their reports, and how they can get in touch
it makes clear to our users that they shouldn't expect us to provide security fixes or support for older versions of Cmdr
it explains to researchers and our users what we do not consider to be security issues
In the past few months, we've had at least two incidents where a user has attempted to report a security vulnerability by making a pull request or other public report (e.g. on an online forum or via our support channels). This policy will help prevent incidents like that.
Next steps
We should continue to consider the viability of email reporting and if we find a solution that works, implement it.
As part of the ongoing documentation works, we should create at least one article discussing security. This could include things like permission hooks, common support questions (like "can exploiters run my commands?"), but also discuss some aspects of Cmdr's internals which may be noteworthy to security-focused users.
Maintainers: Please do not merge this pull request. Once your approvals have been received, I'll give everything one-last check and then merge myself.
This pull request introduces a new security policy. A security policy is necessary because:
In the past few months, we've had at least two incidents where a user has attempted to report a security vulnerability by making a pull request or other public report (e.g. on an online forum or via our support channels). This policy will help prevent incidents like that.
Next steps
We should continue to consider the viability of email reporting and if we find a solution that works, implement it.
As part of the ongoing documentation works, we should create at least one article discussing security. This could include things like permission hooks, common support questions (like "can exploiters run my commands?"), but also discuss some aspects of Cmdr's internals which may be noteworthy to security-focused users.