Using GitHub security policy
Why do we need security policies?
We cannot receive security issues the same way we receive bugs. That way our security issues will become visible to all before we fix it. That’s why GitHub allows you to create a security policy.
Using security policy
Security policy is a markdown file like ReadMe. It allows you to specify what versions of your product are supported, and similar information. But mainly specify how an user should report a security issue to you. Make this a private channel like email, a contact form on your website, DM, etc… You configure a security policy for a repository or for an account as whole using the .github
repository.
I personally prefer a Google Form. This allows to collect information without revealing your email.
Here is sample security policy,
# Security Policy
### Supported Versions
Only the latest release of an active project is supported. Archived projects are not supported and won't be patched.
### Reporting a Vulnerability
To report security vulnerabilities privately you can use this [Google Form](#).
Once you have reported a vulnerablity, provide us 90 days before disclosing it elsewhere.
Reporting Vulnerabilities
If you are a user looking to report a security issue,
- Go to the Security tab in the GitHub repository.
- Click on the policy in the side nav.
- If there is a security policy you will see it there.