Repo security policies #310
Description
It is good practice for every repo to have a security policy (such as SECURITY.md). This is particularly important if someone wanted to find a suitable channel in which to raise a security bug or vulnerability they have identified. For some repos, I imagine this wouldn't be relevant (e.g. panel discussions) but for any code in the https://github.com/solid or https://github.com/solid-contrib organizations which may be used by the community, I would suggest this is important. The questions arising are:
- Do we have a single policy pointed to by all repos?
- What is the process around managing this communication channel?
a. A concern should not be raised as a GitHub issue if it is a vulnerability - it needs to be on a private communication channel
b. Either every project needs to define its own communication channel - maintenance nightmare
c. Or, there is a central channel e.g. [email protected] but then whoever receives this needs to be able to identify the relevant person and pass the message on in a timely manner
Whilst there is nothing else in place, in the case of the Conformance Test Harness, I added https://github.com/solid-contrib/conformance-test-harness/blob/main/SECURITY.md. This currently points to the Inrupt security policy and communication channel on the basis that Inrupt was the initial contributor of the code and is still actively maintaining it.