security: publish a security policy for the project and establish process for handling submissions with maintainers #181
Description
Is your feature request related to a problem? Please describe.
The problem is that https://github.com/cvs-health/langfair/security takes me to a very empty and non-functional place. The problem produced by that problem is that if a security researcher, user, contributor or maintainer of the project discovers a vulnerability, they have no obvious means by which to communicate that vulnerability and its state: reported, triaged, mitigated in release X.Y.Z, etc.
Describe the solution you'd like
I expect the following tasks will be needed to solve the problem
- Draft a security policy document and review with maintainers for approval
- Publish said policy document as SECURITY.md in the repository
- Update
security-insights.ymlto reflect the project's new posture - Drive a decision amongst the maintainers on what to do in the following scenarios
- new vulnerability report received, report invalid
- new vulnerability report received, report valid
- vulnerability mitigation and/or fix is released
- Setup vulnerability reporting workflows and implement changes to release process
Describe alternatives you've considered
- Maintain the status quo: this seems untenable given the popularity of the project and the growing software supply chain risks within the Python ecosystem
-
Additional context
A simple example policy that may work for the project can be found in https://github.com/ossf/security-insights/security/policy