removing a security review & git history

[lukehinds]

Just in regards to https://github.com/ossf/Project-Security-Reviews#removing-a-security-review

This is quite interesting, if someone posts sensitive detail (like a vuln) that is under embargo / unreported it will be in git history. You can use something like BFG Repo-Cleaner , but if anyone has in the meantime fetched and merged from this repo into their own origin, we would not be able to clean up there.

I don't expect you have spend cycles covering this now, as you're bootstrapping the project still, but might be an interesting area to explore later down the line.

[jenniferfernick]

+1 this is an important consideration. As much as possible, the landing page where people read about the nature of the repo should make this exquisitely clear; Michael has done a good job here already but we should make sure it is also communicated on any/all places that information is submitted to the repo and also in high-level announcements about the repo

[scovetta]

We could also do a best-effort validation at PR time -- e.g. words like "undisclosed", "0-day", "did not respond" or similar could show up as a PR comment and encourage the maintainer to not merge. Of course, it's already going to be public, but disclosed in the forked repo. But that could help keep it out of our repo.

And then yes, over-communicating what is and isn't permitted, and where the user can go for a question.

[scovetta]

We added additional information to the wiki and to the quickstart. I think we should also have a pull request template for this.