bat icon indicating copy to clipboard operation
bat copied to clipboard
verified publisher icon sharkdp

docs(security): add initial security policy

Open janderssonse opened this issue 7 months ago • 1 comments

This PR adds a SECURITY.md file, battle tested in other projects and orgs, (the construct is CCO ie public domain, for example from here https://raw.githubusercontent.com/itiquette/git-provider-sync/refs/heads/main/SECURITY.md so just reuse)

A SECURITY.md would help anyone assessing the project for use, give a hint of how it handles critical no public security issues, and give anyone a clear instruction on how to report them non public.

IE, for someone thinking about using bat in an organisation or privately it would give an extra trust factor.

This policy basically says "send your findings, and we will see if we handle them, we will notify you".

Besides, being a good FOSS practice, makes the project look more professional and it is heavily supported by GitHub https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file etc as one of the community health files, so it will pop up automatically in the ui for the end user.

Examples: Security Tab in project front will be added automatically Skärmbild från 2025-05-11 05-57-27

Security Policy in the top right corner of UI will be added automatically

Skärmbild från 2025-05-11 05-58-05

Security Policy under Security Overview for the project will have the Security Policy green and enabled. Skärmbild från 2025-05-11 05-58-23

NOTE: there is a <...> in the text, where the preferred channel for reporting should be added I left that for you, (or tell me what to add there, and I'll rebase with that).

NOTE: I had this in multiple orgs and projects over the years. Only once I had a report, so I dont think one should be worry about getting to much reports from this, this is at least my experience.

janderssonse avatar May 11 '25 05:05 janderssonse

It fails without a changelog entry, but I think this applies (I see this as docs). >[!NOTE]

For PRs, a CI workflow verifies that a suitable changelog entry is added. If such an entry is missing, the workflow will fail. If your changes do not need an entry to the changelog (see above), that workflow failure can be disregarded.

janderssonse avatar May 11 '25 05:05 janderssonse

Closing for now to keep PR inbox clean but we can keep discussing here if needed.

Enselic avatar Aug 26 '25 06:08 Enselic

Like I said, I prefer a minimal change.

I'd also like to keep the header in the README.md to that old links don't break, but it should reference the SECURITY.md file.

Please have a look again:)

janderssonse avatar Aug 27 '25 16:08 janderssonse