Pick either reporting per mail, or GitHub private vulnerability reporting; or in case you want to support both, mention both in SECURITY.md then
Personally I would recommend GitHub private vulnerability reporting because it simplifies some things, e.g.
lower risk of mails getting lost or being considered as spam
private collaboration and requesting of CVE before advisory is published
Actively check security@trino.io and the GitHub notifications for reports
Communication
This is probably most important. Please confirm when you received the report, confirm if you were able to reproduce it. Ask if something is unclear or you disagree with the reporter (maybe there is a misunderstanding). Describe your planned schedule for the fix or publication of the advisory, or mention if you need more time. The reporter usually does not expect that you immediately publish a fix, but just wants to make sure you are aware of the vulnerability and a fix is published eventually.
The worst thing is when you don't respond and the vulnerability is then either never fixed, or the reporter decides to publicly disclose it or directly contacts MITRE. And then you as maintainers are surprised by it and have to rush a fix for it, which risks being incomplete; and your users might be vulnerable in the meantime.
I am going to take this on @martint since I was already looking towards getting some openssf badges and such. Will work with you and @wendigo and others.
As part of reporting https://github.com/airlift/aircompressor/security/advisories/GHSA-973x-65j7-xcf4 for Aircompressor, I also tried to contact the maintainers here, and there were several problems:
SECURITY.md
here recommends sending a mail to security@trino.io, but my mail was apparently ignoredSECURITY.md
), but my report https://github.com/trinodb/trino/security/advisories/GHSA-hg52-rhfq-x59c was ignored (?)Suggestions
SECURITY.md
then Personally I would recommend GitHub private vulnerability reporting because it simplifies some things, e.g.