Publish a security policy

[strugee]

The project has no documented way to report a security vulnerability in private to the developers (at least not that I saw; there's no SECURITY.md for example).

[vhajdari]

We have a Slack channel for the developer community - lxdui.slack.com. Please join us there.

On Mon, Jan 25, 2021 at 9:41 PM AJ Jordan [email protected] wrote:

The project has no documented way to report a security vulnerability in private to the developers (at least not that I saw; there's no SECURITY.md for example).

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/AdaptiveScale/lxdui/issues/340, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACXOWQ2CCGONJ334ZVQ4GB3S3Y2YFANCNFSM4WSYYAWQ .

[strugee]

I'm not sure if you're suggesting that I join there to talk about this issue or if I join there to report a security vulnerability, but either way that doesn't work because folks like me need an invitation to join that workspace.

What I am looking for is something like e.g. https://github.com/nodejs/node/blob/master/SECURITY.md. It doesn't have to be that detailed, but the documentation should at minimum say "here's how to easily get in touch with us to report a security vulnerability." To be perfectly honest the lack of this documentation, plus issues like #326 and #341, drastically lower my confidence that this project understands common security issues and how to avoid them (to the point where I'm wondering whether it was a mistake to put it in production). Documenting where security issues can be reported would go a long way towards signalling potential users that they can trust LXDUI's security because the project makes it a priority. I'm sorry if this comes across as harsh; I'm guessing it does but I'm not sure how else to put it. I'm just trying to give an outsider's perspective that will hopefully be useful.