Closed LeoDog896 closed 11 months ago
We already have a security policy which is just to privately email us at our (actively monitored) email address. https://github.com/typescript-eslint/typescript-eslint/security/policy Is that not easy enough to work with?
As a not-security person I am curious on what the benefits of GitHub's security reporting are. Like, what's the advantage of the dedicated channel over just a private email?
For example, the "Start a temporary private fork" idea is interesting. Is that a strong positive?
Oh absolutely! There are a few benefits:
npm audit
does this too.Of course, the downside to using it would be that staff (with higher-level permissions) at GitHub can see these private reports, but they have yet to act in bad faith.
I guess I personally wonder if that heavy process is really worth it for our project?
Ah, alright! Those concerns make sense - I've seen that private security reporting is generally easier to set up than email (because of the whole manually registering CVEs), but given the security scope of this project, I can see why it may be better to just stay simple with reporting 👍
Suggestion
This allows GitHub to handle the process as a neutral third party and automatically file CVEs with Mitre, streamlining the process for typescript-eslint whenever a security vulnerability is found.
Both options can still be available, but GitHub's private security reporting is easier to work with.
Docs link