Publish a security policy #340
Comments
|
We have a Slack channel for the developer community - lxdui.slack.com.
Please join us there.
…On Mon, Jan 25, 2021 at 9:41 PM AJ Jordan ***@***.***> wrote:
The project has no documented way to report a security vulnerability in
private to the developers (at least not that I saw; there's no SECURITY.md
for example).
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#340>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACXOWQ2CCGONJ334ZVQ4GB3S3Y2YFANCNFSM4WSYYAWQ>
.
|
|
I'm not sure if you're suggesting that I join there to talk about this issue or if I join there to report a security vulnerability, but either way that doesn't work because folks like me need an invitation to join that workspace. What I am looking for is something like e.g. https://github.com/nodejs/node/blob/master/SECURITY.md. It doesn't have to be that detailed, but the documentation should at minimum say "here's how to easily get in touch with us to report a security vulnerability." To be perfectly honest the lack of this documentation, plus issues like #326 and #341, drastically lower my confidence that this project understands common security issues and how to avoid them (to the point where I'm wondering whether it was a mistake to put it in production). Documenting where security issues can be reported would go a long way towards signalling potential users that they can trust LXDUI's security because the project makes it a priority. I'm sorry if this comes across as harsh; I'm guessing it does but I'm not sure how else to put it. I'm just trying to give an outsider's perspective that will hopefully be useful. |
The project has no documented way to report a security vulnerability in private to the developers (at least not that I saw; there's no
SECURITY.mdfor example).The text was updated successfully, but these errors were encountered: