A security policy (SECURITY.md) explains how the project wishes to receive and handle responsible disclosure of potential vulnerabilities. GitHub recommends that projects have one.
The security policy can be found by users who enter the project's "Security" panel. They'll also see references to it in the "New issue" page.
There are two main ways to receive disclosures:
register an email or website available to receive such reports; and/or
Click "Enable" for "Private vulnerability reporting"
I'll send a PR with a draft policy along with this issue.
Alternatively, the policy can be created in a json-iterator/.github repository. In this case, the policy will be available in all of the org's repos.
Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.
A security policy (SECURITY.md) explains how the project wishes to receive and handle responsible disclosure of potential vulnerabilities. GitHub recommends that projects have one.
The security policy can be found by users who enter the project's "Security" panel. They'll also see references to it in the "New issue" page.
There are two main ways to receive disclosures:
If you want to use GitHub's reporting system, it must be activated for the repository:
I'll send a PR with a draft policy along with this issue.
Alternatively, the policy can be created in a json-iterator/.github repository. In this case, the policy will be available in all of the org's repos.
Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.