Re: security vuln reporting policy in GH


Ry Jones
 

Since this is a .md file in repo, delegating updates to that file as required to the maintainers of that repo makes sense to me.

It would also be pretty easy to roll out a default, as you described, and have maintainers update if they like?
Ry

On Wed, Sep 25, 2019 at 6:56 AM Dave Huseby <dhuseby@...> wrote:
Here's more detail in my thinking. The informational section of the security policy should really just be a link back to the policy/info published on our wiki. As for the set of releases currently being supported, I'm concerned about the maintenance of that. Do you see the maintainers keeping that list up-to-date? I haven't looked at the GH API to see if there is a way for us to refresh it from the CI pipeline when changes to the supported releases are made. Ideally, we'd use Git tags to enumerate the currently supported releases of a given repo and the CI pipeline would run a task to re-generate this policy dock and update it via the GH API.

As I said before, this is a good idea. It never hurts to shout about our security policies on every platform to encourage interaction and contributions that are security focused.

Dave
--
Ry Jones
Community Architect, Hyperledger

Join tsc@lists.hyperledger.org to automatically receive all group messages.