Adding a Security Policy

[fraxken]

Hello 👋

I have noticed that some security issues has been reported using public issue like:

• https://github.com/patriksimek/vm2/issues/516
• https://github.com/patriksimek/vm2/issues/515

To improve this next time you could add a SECURITY.md file at the root (what we call a Security Policy). It will provide information to security researchers and developers such as:

• how to contact the maintainers (or the team in charge of security)
• disclosure timeline

See Guide to implementing a coordinated vulnerability disclosure process for open source projects for better description.

In my projects I use the newest Github feature to report private vulnerability. Example of my file here.

To enable it just go to Settings and enable Private vulnerability reporting.

I wrote an article that explains how to securize a project or orgization on GitHub in hope to help fellow maintainers: https://dev.to/nodesecure/securize-your-github-org-4lb7

If you need any help do not hesitate

Best regards, Thomas

[tommymarshall]

This would be a welcome addition. Enterprise application run security checks and this particular vulnerability is a blocker for using many other packages.