Create SECURITY.md #143
Merged
Create SECURITY.md #143
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This PR creates a security policy based off of recommendations from the OpenSSF Scorecard. A security policy may seem gratuitous, but its worthwhile to remember that this library was born from a security vulnerability on the repo from which it was forked, satori/go.uuid. Our library is simple, but it doesn't mean its immune from vulnerabilities or security issues :) With this security policy, we shoot for simplicity: - Support latest, unless there's a very good reason to not. Our package is relatively easy to keep up to date, and we go through great pains to not break the API. As a result, we should be able to put forth an expectation of supporting latest. - Lay out simple instructions for reporting a vulnerability - Mention our cooperation with OpenSSF Scorecard, and make a nod to the fact that our actively maintained score may drop when there's just not much to do with the library.
cameracker
force-pushed
the
cameracker-security-policy
branch
from
8444686
to
7e2b96f
Compare
dylan-bourque
approved these changes
May 13, 2024
SECURITY.md
Outdated
|
|
||
| One heuristic these scorecards measure to gauge whether a package is safe for consumption is an "Actively Maintained" metric. Because this library implements UUIDs, | ||
| it is very stable - there is not much maintenance required other than adding/updating newer UUID versions, keeping up to date with latest versions of Go, and responding | ||
| to reported exploits. As a result, periods of low active maintance are to be expected. |
There was a problem hiding this comment.
"maintenance" is misspelled here
SECURITY.md
Outdated
| ## Supported Versions | ||
|
|
||
| We support the latest version of this library. We do not guarantee support of previous versions. If a defect is reported, it will generally be fixed on the latest version | ||
| (provided it exists) irrespective of whether it was introduced to a prior version. |
There was a problem hiding this comment.
Should be "... introduced in a prior version."
cameracker
commented
May 13, 2024
cameracker
commented
May 13, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR creates a security policy based off of recommendations from the OpenSSF Scorecard.
A security policy may seem gratuitous, but its worthwhile to remember that this library was born from a security vulnerability on the repo from which it was forked, satori/go.uuid. Our library is simple, but it doesn't mean its immune from vulnerabilities or security issues :)
With this security policy, we shoot for simplicity: