Closed wlandau closed 1 week ago
I just turned on the "Github recommended" configuration for all our public repos (https://github.com/organizations/r-multiverse/settings/security_products).
Instead of a repo-level security.txt
file, I propose we add a security policy to r-multiverse.org (similar to our approach for https://github.com/r-multiverse/r-multiverse.github.io/pull/16). This could cover who to contact, as well as R-multiverse-specific issues like https://github.com/r-multiverse/help/discussions/63. Sound okay?
Yes, I'm fine with having it at the root of the website. Do you have a template/precedent in mind for this?
When I go to https://github.com/wlandau/crew/community and click "set up security policy", this is the template I see:
# Security Policy
## Supported Versions
Use this section to tell people about which versions of your project are
currently being supported with security updates.
| Version | Supported |
| ------- | ------------------ |
| 5.1.x | :white_check_mark: |
| 5.0.x | :x: |
| 4.0.x | :white_check_mark: |
| < 4.0 | :x: |
## Reporting a Vulnerability
Use this section to tell people how to report a vulnerability.
Tell them where to go, how often they can expect to get an update on a
reported vulnerability, what to expect if the vulnerability is accepted or
declined, etc.
And from https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository, I gather the purpose is to tell users how to report vulnerabilities. For R-multiverse, I might first start by explaining additional kinds of problems to look for:
And for reporting vulnerabilities, I think I might prefer private vulnerability reporting rather than giving our our personal email addresses. (It's at least worth investigating.)
Sound okay?
Sounds fine. I don't think there is a single standard for this. I didn't know about private vulnerability reporting, looks like the way to go!
security.txt
a the top level of repos