Comments (12)
Great idea @mcollina .
Also we could imagine a "report a vulnerability" button to add to README, wdyt?
from security-wg.
👍 for that.
We should encourage this.
from security-wg.
I would recommend having a separate SECURITY.md
in the top-level of a project providing all the necessary information on how to report an issue. See https://github.com/electron/electron/blob/master/SECURITY.md as an example.
from security-wg.
great stuff, had actually pondered exactly that a couple months back (https://twitter.com/liran_tal/status/933322223783424000), and recently me and @grnd shared some ideas related to this too
would love to push this forward, and we could gather a few checklist items to take a stub at. makes sense for me to push for SECURITY.md
that projects can use (reminds me of https://github.com/securitytxt/security-txt)
from security-wg.
@lirantal sounds good.
from security-wg.
@vdeturckheim can the security-wg-agenda label be dropped?
from security-wg.
Dropping from agenda as I believe this should get into a broader evangelism strategy.
from security-wg.
What else would we want to do here?
We already have the following:
- Copy&Paste Example of a badge for READMEs
- Template that can be used for SECURITY.txt
Maybe we can add an evangelism section in this repo's README to better communicate (1) and (2) ?
from security-wg.
Closing for now that we have the badge and the policy file.
from security-wg.
I think this needs to documented and linked in the README of this wg. Otherwise the info is hard to find. Also, a blog post on the foundation medium would be awesome as well.
from security-wg.
@mcollina so besides the badge to also have a short section about it?
will try to work out a small post about our initiatives to send over but if someone else beats me to it go for it.
from security-wg.
I mean in this repo. The README does not link or provide info to this.
from security-wg.
Related Issues (20)
- OpenSSF Scorecard Report Updated!
- Collaborators Inactivity Policy Review HOT 3
- Question: Why do we have a `--experimental-policy`? HOT 4
- HackerOne page does not mention the threat model HOT 1
- Require optional PoC videos from hackers to help triaging reports
- Node.js Security team Meeting 2024-04-25 HOT 1
- More control over remote debugging (and killing) HOT 4
- Threat Model question about Permission Model HOT 2
- Security Vulnerability to report HOT 1
- OpenSSF Scorecard Report Updated!
- OpenSSF Scorecard Report Updated!
- Scores of vulnerability found in experimental features can be too high HOT 9
- Adding language to Bug Bounty program to differentiate "security features" from "defense in depth features" HOT 1
- Permission Model adoption from Package Managers HOT 3
- Node.js Security team Meeting 2024-05-09
- OpenSSF Scorecard Report Updated!
- OpenSSF Scorecard Report Updated!
- OpenSSF Scorecard Report Updated!
- OpenSSF Scorecard Report Updated!
- Node.js Security team Meeting 2024-05-23
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-wg.