owasp-java-encoder icon indicating copy to clipboard operation
owasp-java-encoder copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Process for reporting possible security vulnerabilties

Open kwwall-gri opened this issue 4 years ago • 0 comments
trafficstars

I suggest creating a SECURITY.md file describing your security process for reporting any security vulnerabilities. I can be as simple as "Report the issue as an email to [email protected] with subject of 'Potential security vulnerability in X'" or however complicated as you want, but you probably do NOT want to have people by default report it publicly via GitHub Issues since generally anyone can read those for a public repository.

I'm not claiming either of these are perfect approach, but just throwing them out there as an idea if you wish to copy or get some ideas for creating your own:

  • https://github.com/ESAPI/esapi-java-legacy/blob/develop/SECURITY.md#reporting-a-vulnerability

or

  • https://github.com/nahsra/antisamy/blob/main/SECURITY.md#reporting-a-vulnerability

kwwall-gri avatar Aug 31 '21 00:08 kwwall-gri