composer-stager icon indicating copy to clipboard operation
composer-stager copied to clipboard

Published 20 hours ago verified publisher icon php-tuf

Add SECURITY.md

Open TravisCarden opened this issue 2 years ago • 3 comments

  • Part of #79.

Context/background: https://github.com/php-tuf/composer-stager/issues/79#issuecomment-1452167755

TravisCarden avatar Mar 03 '23 18:03 TravisCarden

I'm so glad you're working on this. Seems like a good start.

Some thoughts:

  • Maybe this should be linked from the README like "See the security guide for how to report security issues"?
  • We can clarify here that the Drupal Security process is a "hall of fame" system and can issue CVEs.
  • I tend not to use all caps in docs and prefer a "please" but I think please is kinda controversial. Maybe an emoji could help?

Something like this, perhaps:

  • 🛑 Please do not report vulnerabilities in this project in public Github issues.
  • ✅ Please report via the Drupal Security Team's reporting queue.

Also, should issues for this be reported to the core component? Normally if this had a project page on drupal.org there would be a project to assign it to on security.drupal.org but...without that where should this go? Wherever it is we can link directly to that reporting page in addition to the policy pages.

greggles avatar Mar 05 '23 14:03 greggles

Well, Drupal's content guidelines advise against the use of the word "please" in d.o content and prohibit it entirely in Drupal's UI text, so I would leave out the "please". Fewer words is also generally preferable.

xjm avatar Mar 06 '23 01:03 xjm

I guess that is this style guide? I see that advice, thanks. I also see the word please in a bunch of spots on that page, interestingly.

So, "please" is out. Noted.

greggles avatar Mar 06 '23 05:03 greggles

I think this is a good start, we could improve it later if/when we need to.

catch56 avatar Oct 25 '24 17:10 catch56

Alright. We'll do that then.

TravisCarden avatar Oct 28 '24 19:10 TravisCarden