You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is good practice for every repo to have a security policy (such as SECURITY.md). This is particularly important if someone wanted to find a suitable channel in which to raise a security bug or vulnerability they have identified. For some repos, I imagine this wouldn't be relevant (e.g. panel discussions) but for any code in the https://github.com/solid or https://github.com/solid-contrib organizations which may be used by the community, I would suggest this is important. The questions arising are:
Do we have a single policy pointed to by all repos?
What is the process around managing this communication channel?
a. A concern should not be raised as a GitHub issue if it is a vulnerability - it needs to be on a private communication channel
b. Either every project needs to define its own communication channel - maintenance nightmare
c. Or, there is a central channel e.g. [email protected] but then whoever receives this needs to be able to identify the relevant person and pass the message on in a timely manner
Whilst there is nothing else in place, in the case of the Conformance Test Harness, I added https://github.com/solid-contrib/conformance-test-harness/blob/main/SECURITY.md. This currently points to the Inrupt security policy and communication channel on the basis that Inrupt was the initial contributor of the code and is still actively maintaining it.
The text was updated successfully, but these errors were encountered:
It is good practice for every repo to have a security policy (such as
SECURITY.md). This is particularly important if someone wanted to find a suitable channel in which to raise a security bug or vulnerability they have identified. For some repos, I imagine this wouldn't be relevant (e.g. panel discussions) but for any code in the https://github.com/solid or https://github.com/solid-contrib organizations which may be used by the community, I would suggest this is important. The questions arising are:a. A concern should not be raised as a GitHub issue if it is a vulnerability - it needs to be on a private communication channel
b. Either every project needs to define its own communication channel - maintenance nightmare
c. Or, there is a central channel e.g. [email protected] but then whoever receives this needs to be able to identify the relevant person and pass the message on in a timely manner
Whilst there is nothing else in place, in the case of the Conformance Test Harness, I added https://github.com/solid-contrib/conformance-test-harness/blob/main/SECURITY.md. This currently points to the Inrupt security policy and communication channel on the basis that Inrupt was the initial contributor of the code and is still actively maintaining it.
The text was updated successfully, but these errors were encountered: