We did put in place a default policy; so a project that doesn't have their own security.md inherits the top level one https://github.com/apache/.github/blob/main/.github/SECURITY.md
i.e. as can be seen at https://github.com/apache/zeppelin/security Regards, Mark On Mon, Jun 19, 2023 at 2:19 PM Paul King <pa...@asert.com.au> wrote: > Groovy has something similar: > https://github.com/apache/groovy/blob/master/.github/SECURITY.md > > It has the advantage of showing up under the "security" tab of the UI. > It summarises active Groovy versions and then, like commons, points back to > existing links/info. > > Cheers, Paul. > > > On Mon, Jun 19, 2023 at 10:58 PM Gary Gregory <garydgreg...@gmail.com> > wrote: > > > To muddle the topic further, GitHub supports incorporating a SECURITY.md > > file in their system. I've done this for Apache Commons repositories, for > > example see https://github.com/apache/commons-io/blob/master/SECURITY.md > > which simply contains text that points to > > https://commons.apache.org/security.html > > > > Gary > > > > On Mon, Jun 19, 2023, 06:55 Arnout Engelen <enge...@apache.org> wrote: > > > > > Hi, > > > > > > I've noticed security researchers getting increasingly impatient with > > > vendors that don't have clear directions on how to contact them about > > (both > > > infra and code) security issues. While most project sites do a > reasonable > > > job of linking to https://apache.org/security/ or their > project-specific > > > security pages, it can still be easy to miss sometimes. > > > > > > An approach to providing this information that is picking up steam is > > > publishing a '.well-known/security.txt' - see https://securitytxt.org/ > > for > > > all the details. > > > > > > There are two possible downsides I can see to publishing a > security.txt: > > 1) > > > it might cause more low-quality/(semi)generated reports to find us > (like > > > warnings about open directory listings), and 2) it has a mandatory > > > 'Expires' field that needs to be maintained. For '1', by linking to the > > > security webpage rather than the security email address I suspect we'll > > > avoid most of that. For '2', I personally would have preferred this > field > > > to be optional, but I think it's not terrible to use that field to > keep a > > > 'pulse' of whether this information has been recently validated. > > > > > > I've proposed adding a security.txt for apache.org at > > > https://github.com/apache/www-site/pull/229 . We might also encourage > > > projects to publish their own, and add this to > > > https://whimsy.apache.org/site/ . > > > > > > What do you think? > > > > > > > > > Kind regards, > > > > > > Arnout > > > > > >