community-plugins icon indicating copy to clipboard operation
community-plugins copied to clipboard

Published 20 hours ago verified publisher icon backstage

Security.md guidance

Open vinzscam opened this issue 1 year ago • 2 comments

Summary

We need to have a security policy in place for when vulnerabilities found and reported. We should look to copy as much as possible from the backstage/backstage repo.

  • GitHub Security Advisories are a good process that we found useful, let's copy that.
  • Let's copy over some of the best practices from the other repo too.
  • Snyk / Renovate / Dependabot guidance too?

vinzscam avatar Feb 16 '24 12:02 vinzscam

I could probably copy some config from janus-idp repos for renovate and snyk setup (as PRs).

nickboldt avatar Feb 26 '24 15:02 nickboldt

I notice this has fallen off our list a little. Today, if someone wanted to report a security issue in a plugin - where would they go? Should we start by documenting that?

BethGriggs avatar May 22 '24 22:05 BethGriggs

SECURITY.md now exists, we'll iterate as needed

BethGriggs avatar Jun 10 '24 14:06 BethGriggs