security-README file, “SECURITY.md”

“Security is not about speed but finding help when there is a security issue should be.”

The “tl;dr”Security readme file has the project’s “security policy” and “vulnerability reporting” (A.K.A – “responsible security disclosure policy”) in a separate file. The security readme file is in the root directory of an open source project. Security readme files for open source repositories should be a new guideline.

I am asking the JavaScript ecosystem to use a “SECURITY.md” (also referred to as a “security readme file”) to their repositories. My goal is to improve open source security by making policies more accessible and reporting security vulnerabilities easier for everyone.

This isn’t a new thought! While giving a talk at SFNode about “Node.js Security best practices” I realized “security.txt” functions in a similar way. Unfortunately, the “security.txt” file is not intended for humans to read. This is a standard for websites and servers to use in the wild ( A.K.A – the intra/internet ). BUT the idea is the same, provide a route for contributors to report a security issue easily.

Thank you to Rich Trott of Node.js for taking my talking point and running with it. I also want to take a moment to thank these other projects for already using security readme files (SECURITY.md).

Visit my GitHub repository “security-README”. I welcome comments to this idea so we can make the open source community a better place than we found it.

Please help me:

  1. Star this GitHub repo
    ( https://github.com/Trewaters/security-README )
  2. Star this GitHub repo
    https://github.com/Trewaters/SFNode-Nov-2018 )
  3. Follow me “@trewaters” on GitHub
     ( https://github.com/Trewaters )
  4. Follow me on Twitter
    https://twitter.com/trewaters )