Add a Security Policy with a SECURITY.md file

[AMorgaut]

Is your feature request related to a problem? Please describe.

Even if this project might not be considered as critical in terms of security, Hackers still may try to use it as an attack vector (ex: providing bad code reccomendations, injecting links to a phishing website, ...)

It is highly recommended for any project to provide an alternate way to regular issues to submit detected potential vulnerabilities

Describe the solution you'd like

The standard way to handle this in open source projects is to add a SECURITY.md file at the root of the repository

References

• Readme Security initiative: https://github.com/Trewaters/security-README
• Github Example: https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository
• Github Security Policy: https://github.com/skills/.github/blob/main/SECURITY.md
• Microsoft Security Policy: https://github.com/microsoft/.github/blob/main/SECURITY.md

Describe alternatives you've considered

Github natively provides a dedicated interface with a Security tab on the repository page with a report a vulnerabilities button, but it also propose to read the project Security Policy which it expect to in SECURITY.md

Additional context

It would be interesting to have an official dedicated email like security@ecocode.io

In addition ./well-known/security.txt file should be added to the https://ecocode.io website (cf: https://en.wikipedia.org/wiki/Security.txt). It should then be accessible from this URL: https://ecocode.io/.well-known/security.txt

Examples:

• https://www.php.net/.well-known/security.txt

[AMorgaut]

Current version pushed on the branch:

https://github.com/green-code-initiative/ecoCode-dashboard/blob/8ec82b06db2ddbf2942b3f12d3b84b276d652d39/SECURITY.md

---

Thanks for helping make Ecocode safe for everyone.

Security

The Green Code Initiative takes the security of its software products and services seriously, including all of the open source code repositories managed through its GitHub organization, such as Ecocode.

This project is controlled by SAST (Static Application Security Testing) via Sonarcloud

Reporting Security Issues

If you believe you have found a security vulnerability in this repository, please report it to us through coordinated disclosure. We will ensure that your finding gets passed along to the appropriate maintainers for remediation.

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

To report a security issue, use instead the GitHub Security Advisory "Report a vulnerability form.

Please include as much of the information listed below as you can to help us better understand and resolve the issue:

• The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit the issue

These information will help us triage and handle your report more quickly.