mojolicious / mojo

:sparkles: Mojolicious - Perl real-time web framework

https://mojolicious.org

Artistic License 2.0

2.66k stars 576 forks source link

Missing SECURITY.md #2152

Closed sergiotarxz closed 4 months ago

sergiotarxz commented 4 months ago

Mojolicious version: Commit 37a4c396e44fbcbf66ab5df079a14361992a0f59
Perl version: Not relevant.
Operating system: Not relevant.

Steps to reproduce the behavior

Github suggests creating a SECURITY.md to ease security researchers reporting bugs.

Expected behavior

We should have a SECURITY.md

Actual behavior

We do not have a SECURITY.md.

sergiotarxz commented 4 months ago

2151 fixes this issue, but maybe there is something else which should be added.

kraih commented 4 months ago

Are there any actual advantages to having the file? Please don't open a PR, a core team member will write the content if we decide it's worth having.

sergiotarxz commented 4 months ago

Github says:

To give people instructions for reporting security vulnerabilities in your project, you can add a SECURITY.md file to your repository's root, docs, or .github folder. When someone creates an issue in your repository, they will see a link to your project's security policy.

If someone finds a security issue in the code is possible that they have problems reporting it, searching for the correct email address to contact for example, SECURITY.md helps them having a clear point in the code where they can find all the instructions to report an issue.

kraih commented 4 months ago

Since we already have CONTRIBUTING.md, this seems a bit redundant.

sergiotarxz commented 4 months ago

Probably true, feel free to close.