Mark J. Cox

This may be a "live with it/won't fix" as I didn't get any 2021 names of 4 digits anyway

I've noticed that many of the entries on metrics.openssf.org are many months out of date. In the meantime could you do a manual run (I've made a change to Apache...

Am I looking in the right place? I made the change https://github.com/apache/.github/commit/c5e16821126392a9613ee5def9d1cce56a1f64bf on Jul 19th which should cause all ASF scorecards to get a pass on security.md (by inheritance). https://metrics.openssf.org/search?q=apache...

Also the issue I was facing (scorecards not taking account of organisation wide policy files) was a bug so the Apache scorecards will all update appropriately once https://github.com/ossf/scorecard/pull/837 is merged...

Hi! Nice work, and so quick :) It's a little tricky to determine the best approach as really everything could be collapsed into security-forum including the policy and reporting address....

Looks like none of the ASF DOAP files pull in foaf at all, but I don't think it would affect any of the current parsing that would make it an...

Agree, I think `security-policy `is really useful in conjunction with `security-contact.`

I'm running this daily and tweaking it and it'll eventually get auto emailed out probably weekly. Example from last night ("stalled issues" where "stalled" means no update in 30 days)...

> > The CVE record has been updated to invalid so my request to edit the title of this PR to remove the CVE reference stands. > > For clarity,...