From abdb7b199dccf651404a4f2051e547e57bc02e50 Mon Sep 17 00:00:00 2001 From: "David A. Wheeler" Date: Tue, 5 Sep 2023 14:42:41 -0400 Subject: [PATCH] Add SECURITY.md file (#1250) * Add SECURITY.md file This commit adds a SECURITY.md file, so panicked reporters will know how to report them. Since private reporting is enabled, I presume that's how this group wants the vulnerabilities reported. I also tweaked the README to point to it. Signed-off-by: David A. Wheeler * Remove incorrect URL Signed-off-by: David A. Wheeler * Add reporting vulns to table of contents. Signed-off-by: Spencer Schrock * clarify reporting instructions for non-admin. Signed-off-by: Spencer Schrock --------- Signed-off-by: David A. Wheeler Signed-off-by: Spencer Schrock --- README.md | 7 +++++++ SECURITY.md | 7 +++++++ 2 files changed, 14 insertions(+) create mode 100644 SECURITY.md diff --git a/README.md b/README.md index eedd12b8..eea5044d 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,8 @@ ________ - [Workflow Example](#workflow-example) ["Classic" PAT Requirements and Risks](#classic-personal-access-token-pat-requirements-and-risks) + +[Reporting vulnerabilities](#reporting-vulnerabilities) ________ The following GitHub triggers are supported: `push`, `schedule` (default branch only). @@ -272,3 +274,8 @@ an external contributor could potentially exploit it to extract the PAT. The only benefit of a "classic" PAT is that it can be set to never expire. However, we believe this does not outweigh the significantly higher risk of "classic" PATs compared to fine-grained PATs. + +## Reporting vulnerabilities + +If you find a vulnerability, please report it to us! +See [SECURITY.md](./SECURITY.md) for more information. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..be466026 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,7 @@ +# Security + +If you find a significant vulnerability, or evidence of one, +please report it privately. + +We prefer that you use the [GitHub mechanism for privately reporting a vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). Under the +[main repository's security tab](https://github.com/ossf/scorecard-action/security), click "Report a vulnerability" to open the advisory form.