nexB
Create AboutCode-level security policy
We need to create an AboutCode.org level security policy and reference it on each of our projects.
Some useful resources (GH context) are:
- https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository
- https://repos.openssf.org/principles-for-package-repository-security
- https://github.blog/security/vulnerability-research/a-maintainers-guide-to-vulnerability-disclosure-github-tools-to-make-it-simple/
"I’d like to help create an AboutCode-level security policy. Should it live in a central repo or each project?"
@hemantchilkuri thank you for your interest, but this is something which will be handled by the maintainers. If you have any suggestions for improvement though please let us know. Also please find other labeled good first issue from projects at https://github.com/aboutcode-org which are great for contributions.
@mjherzog I've started a draft at https://github.com/aboutcode-org/.github/blob/main/.github/SECURITY.md
Hi @mjherzog, here's a draft SECURITY.md with GitHub Security Advisories as the default disclosure method (no assumptions about a dedicated email).
Would you prefer hosting this centrally (e.g., aboutcode.org/security) and referencing it from other repos, or including the full file in each one? Happy to proceed based on your preference!
[
Security Policy
Reporting a Vulnerability
If you discover a security vulnerability in any AboutCode.org project, we strongly encourage you to report it responsibly.
- Please use the GitHub Security Advisory feature to privately disclose the issue to project maintainers.
We aim to acknowledge and begin investigating all valid reports as soon as possible.
Scope
This policy applies to all projects under the AboutCode GitHub organization, including:
- ScanCode Toolkit
- ScanCode.io
- PurlDB
- DejaCode
- License Expression Toolkit
Disclosure Policy
We follow a responsible disclosure process:
- Confirm and assess the impact of the issue.
- Work privately to develop a fix.
- Coordinate the release of a patch and advisory.
- Credit the reporter (if desired).
Out of Scope
The following are outside the scope of this policy:
- General bug reports or feature requests
- Licensing clarifications or questions
- Vulnerabilities in third-party dependencies not directly exploitable via AboutCode projects
Thank You
We appreciate your efforts to help keep the open source ecosystem secure!
]
@LuciferVid we have started a draft at https://github.com/aboutcode-org/.github/blob/main/.github/SECURITY.md and because this is a github org-specific defaults repo this is now included in all the aboutcode-org repos. See for example: https://github.com/aboutcode-org/scancode-toolkit/?tab=security-ov-file
If you have suggestions to improve and update this, please open a PR and we can review the details there.
Hi @AyanSinhaMahapatra
I would like to work on this task.
Before I begin, I want to confirm a few details to ensure the security policy aligns with AboutCode.org standards and expectations:
- Should the policy follow a structure similar to GitHub’s
SECURITY.mdtemplate or would you prefer a more detailed policy (like AboutCode.org’s comprehensive version)? - Should the policy include:
- vulnerability reporting process,
- supported versions,
- disclosure timelines,
- researcher guidelines,
- contact channels,
- coordinated disclosure practices?
- Will this security policy be added to all repositories within the organization (and referenced from each), or should it be created centrally and linked from individual repos?
- Do you prefer the initial draft as a PR directly, or should I share the outline first for review?
Once I have your guidance, I can prepare a complete and clean SECURITY.md that meets all requirements.
Thanks!
