Adding a boilerplate security policy.#143
Adding a boilerplate security policy.#143schneidergithub wants to merge 2 commits intowebmachinelearning:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a repository SECURITY.md document intended to guide contributors on handling sensitive material and reporting security issues, aligning the repo with common GitHub expectations for a security policy file.
Changes:
- Introduces a new
SECURITY.mdwith guidance on handling secrets/sensitive data. - Adds guidance on evidence/audit integrity expectations.
- Adds a section describing how to report security issues.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
|
Ready for review / approval. I suggest one of the maintainers (tagging the first from microsoft & google for visibility & simplicity): @bwalderman & @bokand adds an email address or contact form for a proper security issue submission that is private, versus using public issues. |
anssiko
left a comment
anssiko
left a comment
There was a problem hiding this comment.
Thanks for the suggestion. There's no established SECURITY.md boilerplate for W3C repos currently. I'll put this to W3C Security Lead's desk.
@simoneonofri, can you suggest an appropriate SECURITY.md file considering https://w3c.github.io/security-disclosure/? My expectation is a link to that doc would be preferred over custom text to keep a canonical reference. When settled, I'd expect best practices and templates to be updated accordingly.
|
Thank you for the feedback Anssi. I would love to see a standard document & template to use for all my projects. A link to an official doc sounds like a great pragmatic solution. |
|
I apologize, I made another commit to my fork that is getting auto-added to this PR. The second commit is just a repo clean-up policy I personally use, where it dismisses stale / inactive issues that have no activity over a month. |
@anssiko thank you. Yes the security disclosure document you linked is the one we're working on. Something done before was this one https://github.com/w3c/securityig/blob/main/SECURITY.md as I am acting as the point of contact, but for tldr, we're also using the GitHub feature |
|
Would you like me to close this PR since you guys seem to be on top of it. Or I can take ownership of this and submit a new PR that just points to https://github.com/w3c/securityig/blob/main/SECURITY.md |
This is a default security policy, which is expected in github repos. Feel free to update the content, I copied & pasted it from another repo of mine.