Discussion · bonfire.cafe

Strongly recommend adding a SECURITY.md to all your open source repos, if you're on GitHub also enable Private Vulnerability Reporting.

https://docs.github.com/en/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting/adding-a-security-policy-to-your-repository

https://docs.github.com/en/code-security/how-tos/report-and-fix-vulnerabilities/privately-reporting-a-security-vulnerability

GitHub Docs

Privately reporting a security vulnerability - GitHub Docs

Some public repositories configure security advisories so that anyone can report security vulnerabilities directly and privately to the maintainers.

GitHub Docs

Adding a security policy to your repository - GitHub Docs

You can give instructions for how to report a security vulnerability in your project by adding a security policy to your repository.

Andrew Nesbitt

@andrewnez@mastodon.social · 59 minutes ago

A good way to reduce noisy AI security reports is also to write a public vulnerability disclosure policy with what is considered a security issue and what is just a bug.

Curl has an excellent one as an example: https://github.com/curl/curl/blob/master/docs/VULN-DISCLOSURE-POLICY.md

GitHub

curl/docs/VULN-DISCLOSURE-POLICY.md at master · curl/curl

A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, MQTTS, POP3, POP3S, RTSP, SCP,...