From b20f2e822b7158e8809bb0e8a45bfc2d349a4b4c Mon Sep 17 00:00:00 2001 From: John Boyes Date: Fri, 29 Mar 2024 00:42:45 +0000 Subject: [PATCH] Document security vulnerability reporting process As suggested by #439 --- README.md | 9 +++++++++ SECURITY.md | 21 +++++++++++++++++++++ 2 files changed, 30 insertions(+) create mode 100644 SECURITY.md diff --git a/README.md b/README.md index dc58805a..07149e3d 100644 --- a/README.md +++ b/README.md @@ -249,3 +249,12 @@ The project is [open source](https://opensource.guide/how-to-contribute/) and al See the [DEPENDENCIES.md](.github/DEPENDENCIES.md) +## Reporting security vulnerabilities + +As per our [SECURITY.md](SECURITY.md) we welcome and appreciate security vulnerability reports. + +To report a new vulnerability: + +1. go to the [repository's Security Advisories page](https://github.com/agilepathway/label-checker/security/advisories) +2. click on `Report a vulnerability` + diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..8ee314a0 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +**Any fixes for security vulnerabilities will be applied to a new release only**, rather than +retrospectively applied to previous releases. + +The reason for this is that the label checker is a standalone GitHub Action with (purposefully) +minimal dependencies and therefore very straightforward for consumers to update versions. It's +**recommended for consumers to pin to the major version of the label checker**, so that they +automatically get all new backwards compatible updates (major version updates will be extremely +rare events, one every few years at most, and very possible less frequent even than that). + +## Reporting a Vulnerability + +Our policy is for vulnerability reports to be reported privately. To report a new vulnerability: + +1. go to the [repository's Security Advisories page](https://github.com/agilepathway/label-checker/security/advisories) +2. click on `Report a vulnerability` + +We welcome and appreciate vulnerability reports and will endeavour to respond very swiftly.