Missing SECURITY.md

Question

Missing SECURITY.md

sergiotarxz opened this issue 4 months ago · comments

sergiotarxz commented 4 months ago

Mojolicious version: Commit 37a4c39
Perl version: Not relevant.
Operating system: Not relevant.

Steps to reproduce the behavior

Github suggests creating a SECURITY.md to ease security researchers reporting bugs.

Expected behavior

We should have a SECURITY.md

Actual behavior

We do not have a SECURITY.md.

sergiotarxz · Answer 1 · Sun Feb 11 2024 11:54:36 GMT+0800 (China Standard Time)

#2151 fixes this issue, but maybe there is something else which should be added.

Sebastian Riedel · Answer 2 · Sun Feb 11 2024 19:49:32 GMT+0800 (China Standard Time)

Are there any actual advantages to having the file? Please don't open a PR, a core team member will write the content if we decide it's worth having.

sergiotarxz · Answer 3 · Sun Feb 11 2024 20:24:37 GMT+0800 (China Standard Time)

Github says:

To give people instructions for reporting security vulnerabilities in your project, you can add a SECURITY.md file to your repository's root, docs, or .github folder. When someone creates an issue in your repository, they will see a link to your project's security policy.

If someone finds a security issue in the code is possible that they have problems reporting it, searching for the correct email address to contact for example, SECURITY.md helps them having a clear point in the code where they can find all the instructions to report an issue.

Sebastian Riedel · Answer 4 · Sun Feb 11 2024 22:33:39 GMT+0800 (China Standard Time)

Since we already have CONTRIBUTING.md, this seems a bit redundant.

sergiotarxz · Answer 5 · Sun Feb 11 2024 23:29:48 GMT+0800 (China Standard Time)

Probably true, feel free to close.