Closed tumido closed 1 year ago
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
/lifecycle stale
Can be part of support guidelines.
Something like SLA specific to security.
Define
SECURITY.md
as per https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repositoryHave a secured path how users can report found vulnerability.
General recommendation: Leverage security scanning and CVE monitors, keep deps up to date.
Have a prioritization in place for issues.
Have an SOP how to handle it.
Security issues are triaged promptly.
Liability: scope of what is "security matter" of a service and what is user's own responsibility.
"Service provider is not user's babysitter." but in better words.