JiaT75
commented
1 year ago Hi Gabriela! This seems like a great idea, thanks for the suggestion. At the moment, users are expected to report security reports to our project's email address (xz@tukaani.org). Since we moved to GitHub, it is probably less clear that is our expectation, especially for users who find the project through GitHub. So setting up a SECURITY.md file will be helpful.
You are welcome to suggest an initial version for the Security Policy through a PR. Thanks for the help!
Describe the Feature
A Security Policy should provide clear guidance on how to report potential vulnerabilities and inform the vulnerabilities disclosure window for this repo. It recommended by Github and Scorecard.
Expected Complications
No.
Will I try to implement this new feature?
Yes
Additional context
I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)
If you agree, I can open a PR to suggest a Security Policy, and we can work together to communicate how the repo can best handle vulnerability reports.