-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create SECURITY.md #143
Create SECURITY.md #143
Conversation
This PR creates a security policy based off of recommendations from the OpenSSF Scorecard. A security policy may seem gratuitous, but its worthwhile to remember that this library was born from a security vulnerability on the repo from which it was forked, satori/go.uuid. Our library is simple, but it doesn't mean its immune from vulnerabilities or security issues :) With this security policy, we shoot for simplicity: - Support latest, unless there's a very good reason to not. Our package is relatively easy to keep up to date, and we go through great pains to not break the API. As a result, we should be able to put forth an expectation of supporting latest. - Lay out simple instructions for reporting a vulnerability - Mention our cooperation with OpenSSF Scorecard, and make a nod to the fact that our actively maintained score may drop when there's just not much to do with the library.
8444686
to
7e2b96f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved, with a couple grammatical nits
SECURITY.md
Outdated
|
||
One heuristic these scorecards measure to gauge whether a package is safe for consumption is an "Actively Maintained" metric. Because this library implements UUIDs, | ||
it is very stable - there is not much maintenance required other than adding/updating newer UUID versions, keeping up to date with latest versions of Go, and responding | ||
to reported exploits. As a result, periods of low active maintance are to be expected. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"maintenance" is misspelled here
SECURITY.md
Outdated
## Supported Versions | ||
|
||
We support the latest version of this library. We do not guarantee support of previous versions. If a defect is reported, it will generally be fixed on the latest version | ||
(provided it exists) irrespective of whether it was introduced to a prior version. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be "... introduced in a prior version."
This PR creates a security policy based off of recommendations from the OpenSSF Scorecard.
A security policy may seem gratuitous, but its worthwhile to remember that this library was born from a security vulnerability on the repo from which it was forked, satori/go.uuid. Our library is simple, but it doesn't mean its immune from vulnerabilities or security issues :)
With this security policy, we shoot for simplicity: