ocpp
ocpp copied to clipboard
mobilityhouse
Add a security policy or company's contact
Hey,
I think it would be interesting to have a way that people can contact us to disclose vulnerbilities that they may have found on mobilityhouse/ocpp repository.
Github offers this possibility with Security Policy, so in case someone finds a vulnerability, then this can be disclosed in privately first. We can link to our readme, so it makes easier to find it. 🔎
So that we can follow the Zen of Python: "Explicit is better than implicit" :wink:
That it's a good idea. Thanks for the suggestion. I'm not sure how this policy should look like though. Of course we can provide an email address that can be used to inform us about security issues. But I think someone has to keep an eye on the inbox of that address to respond to emails adequately. And I'm not very eager to do that myself, to be 'always on'.
I have an example in how this look like here.
I would suggest aligning with maybe a responsible for e.g. CTO or someone else what would be the best option in face a vulnerability be found that can affect the product. Right now, I suppose a public issue would be opened for that.
Maybe creating an e-mail account specifically for security issues and that could be checked time to time, so not 24/7, what do you think?
This is certainly a good idea. As this is currently under the scope of the CIO for The Mobility House, I'll close this for now.
