Recommended text and template for 3rd party module authors about security-wg HOT 12 CLOSED

Great idea @mcollina .

Also we could imagine a "report a vulnerability" button to add to README, wdyt?

from security-wg.

👍 for that.

We should encourage this.

from security-wg.

I would recommend having a separate SECURITY.md in the top-level of a project providing all the necessary information on how to report an issue. See https://github.com/electron/electron/blob/master/SECURITY.md as an example.

from security-wg.

great stuff, had actually pondered exactly that a couple months back (https://twitter.com/liran_tal/status/933322223783424000), and recently me and @grnd shared some ideas related to this too

would love to push this forward, and we could gather a few checklist items to take a stub at. makes sense for me to push for SECURITY.md that projects can use (reminds me of https://github.com/securitytxt/security-txt)

from security-wg.

@lirantal sounds good.

from security-wg.

@vdeturckheim can the security-wg-agenda label be dropped?

from security-wg.

Dropping from agenda as I believe this should get into a broader evangelism strategy.

from security-wg.

What else would we want to do here?
We already have the following:

1. Copy&Paste Example of a badge for READMEs
2. Template that can be used for SECURITY.txt

Maybe we can add an evangelism section in this repo's README to better communicate (1) and (2) ?

from security-wg.

Closing for now that we have the badge and the policy file.

from security-wg.

I think this needs to documented and linked in the README of this wg. Otherwise the info is hard to find. Also, a blog post on the foundation medium would be awesome as well.

from security-wg.

@mcollina so besides the badge to also have a short section about it?

will try to work out a small post about our initiatives to send over but if someone else beats me to it go for it.

from security-wg.

I mean in this repo. The README does not link or provide info to this.

from security-wg.