Add a Security Policy - Githubissues

rubysec / bundler-audit

Patch-level verification for Bundler

GNU General Public License v3.0

2.69k stars 229 forks source link

Add a Security Policy #309

Open postmodern opened 3 years ago

postmodern commented 3 years ago

Add a SECURITY.md file explaining how to report vulnerabilities in bundler-audit.

Which email address should they be sent to? (rubysec's mailing list or my email addres?)
Which PGP key, if any, should be used to encrypt emails? (I can volunteer my PGP pubkey)

/cc @reedloden

reedloden commented 3 years ago

I'm a bit biased here due to it being my employer (and the fact that I manage this particular offering), but HackerOne offers a completely free version for open source projects. Might I suggest that as an alternative to email and PGP? Ruby, Rails, and RubyGems all use it already, just as examples.