Create a Github Security Policy file

[joycebrum]

Hi, I'd like to know if you might have interest on creating a Github Security Policy file for python/importlib_metadata. The project already has a very well defined security policy so the file would only allow users to get this information through github standard ways.

It will be shown in the Security Dashboard and in the about section of the project:

So it will make it easier for users to find out how to report security issues.

Let me know if a PR is welcome and I'll submit it ASAP.

Thanks!

[jaraco]

Thanks Joyce for your review of this project.

This project is one of hundreds that I maintain, so when it comes to concerns that are not specific to this project, I try to maintain them in repos that track those concerns.

For my most visible/popular projects, they're supported by Tidelift and the security policy is managed through jaraco/tidelift, which is subsequently merged into those projects.

Perhaps consider submitting a PR to that project - then if the changes can be accepted, they'll be applied to dozens of projects that derive from that repo. If the change requires project-specific content, that will add complication and may not be acceptable.

Do feel free to tag me on any such PR, as I don't subscribe to Github events by default.

[jaraco]

I should also say - if this security policy is something that can be applied to any project, it should be contributed to jaraco/skeleton.

[jaraco]

I reviewed the change drafted in your fork, and as I see it, it's taking the security notice that's currently in the readme and putting it in a specific SECURITY.md file. It seems to be the best place to do that is with the jaraco/tidelift project. I'll transfer the issue there.

Edit: oh, I can't transfer it, because this project is in a different organization. I'll just address it there.