Re: security vuln reporting policy in GH

Ry Jones

Since this is a .md file in repo, delegating updates to that file as required to the maintainers of that repo makes sense to me.

It would also be pretty easy to roll out a default, as you described, and have maintainers update if they like?

On Wed, Sep 25, 2019 at 6:56 AM Dave Huseby <dhuseby@...> wrote:
Here's more detail in my thinking. The informational section of the security policy should really just be a link back to the policy/info published on our wiki. As for the set of releases currently being supported, I'm concerned about the maintenance of that. Do you see the maintainers keeping that list up-to-date? I haven't looked at the GH API to see if there is a way for us to refresh it from the CI pipeline when changes to the supported releases are made. Ideally, we'd use Git tags to enumerate the currently supported releases of a given repo and the CI pipeline would run a task to re-generate this policy dock and update it via the GH API.

As I said before, this is a good idea. It never hurts to shout about our security policies on every platform to encourage interaction and contributions that are security focused.

Ry Jones
Community Architect, Hyperledger

Join to automatically receive all group messages.