Each OpenJS Foundation project must publish a security policy in an easily accessible place. The recommended approach is to publish the security policy in each GitHub repository.
Projects that have their own organization on GitHub are advised to place the SECURITY.md file in the .github repository for the organization.
Project security policy should explain how to confidentially report a security vulnerability.
Each project should support at least one security reporting channel. Common ways of accepting vulnerability reports are:
- Designated email address, e.g.
security@example.com. - Vulnerability disclosure program, e.g. hosted on platform such as HackerOne or similar.
Projects that have their own reporting channels are encouraged to continue using them and document it in the security policy.