Write a security policy / nominate security contacts

[miceg]

Feature description

This repository doesn't list any security policy or security contacts.

GeoServer has some: https://github.com/geoserver/geoserver/blob/main/SECURITY.md

Additional context

I have discovered a low-severity security issue affecting Kartoza's GeoServer Docker image, which is triggered by something in this repository.

I'm in contact with GeoServer folks about the issue, and they've asked me to not share details publicly.

I think Kartoza should be brought into the loop.

[NyakudyaA]

@miceg There seems to be a couple of these security issues as indicated here https://github.com/kartoza/docker-geoserver/security/code-scanning, If it's something we can fix please send us a direct email as well. Most of these seem to come from jars

[miceg]

I don't have access to that page – but I am pretty confident it's not something a security scanner will find 😄

I'll ask to have you looped in the discussion, thanks 😄

[NyakudyaA]

@miceg ping me @addloe@gmail.com and I can share the logs

[jodygarnett]

@Admire Nyakudya if you or another Kartoza employee is interested in volunteering on geoserver-security we would appreciate the assistance.

The value proposition is:

• Participants help out evaluating and reproducing vulnerabilities as they are reported (providing value to the project)
• Earn the insight to take care of their contracts and products in a responsible manner (providing value to their customers)

Thanks

[NyakudyaA]

Thanks @jodygarnett I can participate