Security policy? #7
Closed
DanHeidinga
started this conversation in
General
Replies: 2 comments
-
|
I have one drafted (pushed): https://github.com/commonhaus/foundation-draft/blob/main/SECURITY.md This is more of a .. "please use confidential reporting mechanisms built into tools" initial focus, rather than a "how can we as a collection of projects work together to improve how Java security issues are resolved in our libraries (in a way that does not equate to another procedure defining working group)" |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Thanks Erin. I agree this provides the necessary guidance to projects / reporters. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Does the Foundation need a security policy? Just as it requires projects to have a CoC, it would make sense to require projects to have a policy for how they handle security bugs and reporting of CVE fixes in each release.
I'd expect an escalation path / default option of reporting to the foundation until a project get's its own policy in place just as CoC violations are handled.
There's probably more to spell out here - worth checking the Apache, Eclipse, Linux foundations for how they approach this.
Beta Was this translation helpful? Give feedback.
All reactions