Github suggests open source projects create a SECURITY.md file which documents which versions are maintained from a security stand point. In others, which version of a project will receive security patches. This is a little different for us, because this isn't a library. I think once we finish the MVP, however, we can call that v1.0.0, and state that we will only support security vulnerabilities from that major version on.
Additionally, I'd like to set up a bot which scans the code for vulnerabilities. Many of these exist, however, most use github workflows. It would be nice if we had one that didn't require a workflow or was compatible with CircleCI since that's our CI platform of choice.
Background
Github suggests open source projects create a SECURITY.md file which documents which versions are maintained from a security stand point. In others, which version of a project will receive security patches. This is a little different for us, because this isn't a library. I think once we finish the MVP, however, we can call that v1.0.0, and state that we will only support security vulnerabilities from that major version on.
Additionally, I'd like to set up a bot which scans the code for vulnerabilities. Many of these exist, however, most use github workflows. It would be nice if we had one that didn't require a workflow or was compatible with CircleCI since that's our CI platform of choice.