Add a security policy #864
Conversation
There was a problem hiding this comment.
Good idea.
We should discuss in the meeting whether we want support at least two minr -version branches for security updates (or a LTS version and one faster moving branch with regular releases (e.g. the jenkins model: one release from master every 2 weeks and a LTS release every 3 month) to cater for facilties that cannot support too frequent updates?
|
@jl-wynen based on the file that you added, we should have a log of all the vulnerabilities that we have fixed. On a side note, what else do we need to do on this PR to approve and merge? |
|
Just use GH security advisories. They allow you to track what has been fixed and for what version and disclose those when appropriate. Related, there is actually no need for an email address. You can enable security reporting on the repo which is like issues but can be opened by anyone but seen only by maintainers. |
Junjiequan
force-pushed
the
security-policy
branch
from
e0b04e7 to
b05244d
Compare
SECURITY.md
Outdated
|
|
||
| **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** | ||
|
|
||
| Instead, please email <ADDRESS> |
There was a problem hiding this comment.
We still need to put an email address here.
Alternatively, or in addition, you can also enable private security reporting for the repo: https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
Junjiequan
force-pushed
the
security-policy
branch
from
a050979 to
d4fc66c
Compare
Junjiequan
force-pushed
the
security-policy
branch
from
d52d184 to
f5dfad1
Compare
This is good practice so that users know what to do when they find a problem.
I basically copied this from Scitacean. So it may not be exactly what you want here. In particular, please