“Security is not about speed but finding help when there is a security issue should be.”
The “tl;dr”… Security readme file has the project’s “security policy” and “vulnerability reporting” (A.K.A – “responsible security disclosure policy”) in a separate file. The security readme file is in the root directory of an open source project. Security readme files for open source repositories should be a new guideline.
I am asking the JavaScript ecosystem to use a “SECURITY.md” (also referred to as a “security readme file”) to their repositories. My goal is to improve open source security by making policies more accessible and reporting security vulnerabilities easier for everyone.
This isn’t a new thought! While giving a talk at SFNode about “Node.js Security best practices” I realized “security.txt” functions in a similar way. Unfortunately, the “security.txt” file is not intended for humans to read. This is a standard for websites and servers to use in the wild ( A.K.A – the intra/internet ). BUT the idea is the same, provide a route for contributors to report a security issue easily.
Thank you to Rich Trott of Node.js for taking my talking point and running with it. I also want to take a moment to thank these other projects for already using security readme files (SECURITY.md).
Visit my GitHub repository “security-README”. I welcome comments to this idea so we can make the open source community a better place than we found it.
Please help me:
- Star this GitHub repo
( https://github.com/Trewaters/security-README ) - Star this GitHub repo
( https://github.com/Trewaters/SFNode-Nov-2018 ) - Follow me “@trewaters” on GitHub
( https://github.com/Trewaters ) - Follow me on Twitter
( https://twitter.com/trewaters )