Conversation
Brucesquared2
left a comment
Brucesquared2
left a comment
There was a problem hiding this comment.
I may be a little overzealous, however there are vulnerabilities in this. I want to get your thoughts before I release it. I do have some items in this, I don't want made public
What should be required before approval (minimal changes)
No private reporting channel is provided (email address, security@, or explicit instruction to use a private GitHub Security Advisory). Without this, reporters may open public issues and unintentionally disclose vulnerabilities.
No guidance for encrypted reports (PGP/public key) or whether encrypted reports are accepted.
No acknowledgement/response-time or triage/disclosure timeline (e.g., ack within 48 hours, triage within 7 days).
Supported versions table looks like boilerplate and probably does not reflect this repo — it should be accurate or removed.
No policy for CVE coordination, crediting reporters, or public disclosure handling.
No list of information reporters should provide (steps to reproduce, affected version, PoC, contact details).
No statement of repo maintenance status (actively maintained, archived, or best-effort).
Concise text you can copy into the PR’s Reporting section
Reporting: “Please report security vulnerabilities by creating a private GitHub Security Advisory for this repository OR by emailing security@ (PGP: ). Do NOT open a public issue for security vulnerabilities. We will acknowledge receipt within 48 hours and aim to triage and provide a remediation plan within 7 days. We coordinate CVE assignment when appropriate and will work with the reporter on disclosure and credit.”
Supported versions: replace the table with either an accurate matrix or “This repository is not versioned; security fixes are handled on a case-by-case basis.”
|
commit |
5 participants
No description provided.