Open AMorgaut opened 3 weeks ago
Current version pushed on the branch:
Thanks for helping make Ecocode safe for everyone.
The Green Code Initiative takes the security of its software products and services seriously, including all of the open source code repositories managed through its GitHub organization, such as Ecocode.
This project is controlled by SAST (Static Application Security Testing) via Sonarcloud
If you believe you have found a security vulnerability in this repository, please report it to us through coordinated disclosure. We will ensure that your finding gets passed along to the appropriate maintainers for remediation.
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
To report a security issue, use instead the GitHub Security Advisory "Report a vulnerability form.
Please include as much of the information listed below as you can to help us better understand and resolve the issue:
These information will help us triage and handle your report more quickly.
Is your feature request related to a problem? Please describe.
Even if this project might not be considered as critical in terms of security, Hackers still may try to use it as an attack vector (ex: providing bad code reccomendations, injecting links to a phishing website, ...)
It is highly recommended for any project to provide an alternate way to regular issues to submit detected potential vulnerabilities
Describe the solution you'd like
The standard way to handle this in open source projects is to add a SECURITY.md file at the root of the repository
References
Describe alternatives you've considered
Github natively provides a dedicated interface with a
Security
tab on the repository page with areport a vulnerabilities
button, but it also propose to read the projectSecurity Policy
which it expect to inSECURITY.md
Additional context
It would be interesting to have an official dedicated email like
security@ecocode.io
In addition
./well-known/security.txt
file should be added to the https://ecocode.io website (cf: https://en.wikipedia.org/wiki/Security.txt). It should then be accessible from this URL: https://ecocode.io/.well-known/security.txtExamples: