Skip to content

Commit

Permalink
Add SECURITY.md file (#1250)
Browse files Browse the repository at this point in the history 
* Add SECURITY.md file

This commit adds a SECURITY.md file, so panicked reporters
will know how to report them. Since private reporting is enabled,
I presume that's how this group wants the vulnerabilities reported.

I also tweaked the README to point to it.

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>

* Remove incorrect URL

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>

* Add reporting vulns to table of contents.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* clarify reporting instructions for non-admin.

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
Signed-off-by: Spencer Schrock <sschrock@google.com>
  • Loading branch information
@david-a-wheeler
david-a-wheeler committed Sep 5, 2023
1 parent 15cd9b9 commit abdb7b1
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 0 deletions.
7 changes: 7 additions & 0 deletions README.md
View file
Expand Up @@ -33,6 +33,8 @@ ________
- [Workflow Example](#workflow-example)

["Classic" PAT Requirements and Risks](#classic-personal-access-token-pat-requirements-and-risks)

[Reporting vulnerabilities](#reporting-vulnerabilities)
________

The following GitHub triggers are supported: `push`, `schedule` (default branch only).
Expand Down Expand Up @@ -272,3 +274,8 @@ an external contributor could potentially exploit it to extract the PAT.

The only benefit of a "classic" PAT is that it can be set to never expire.
However, we believe this does not outweigh the significantly higher risk of "classic" PATs compared to fine-grained PATs.

## Reporting vulnerabilities

If you find a vulnerability, please report it to us!
See [SECURITY.md](./SECURITY.md) for more information.
7 changes: 7 additions & 0 deletions SECURITY.md
View file
@@ -0,0 +1,7 @@
# Security

If you find a significant vulnerability, or evidence of one,
please report it privately.

We prefer that you use the [GitHub mechanism for privately reporting a vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). Under the
[main repository's security tab](https://github.com/ossf/scorecard-action/security), click "Report a vulnerability" to open the advisory form.

0 comments on commit abdb7b1

Please sign in to comment.