Skip to content

Latest commit

 

History

History
18 lines (10 loc) · 1.06 KB

PROJECT_SECURITY_REPORTING.md

File metadata and controls

18 lines (10 loc) · 1.06 KB

Minimum security reporting requirements for OpenJS Foundation projects

Security policy

Each OpenJS Foundation project must publish a security policy in an easily accessible place. The recommended approach is to publish the security policy in each GitHub repository.

Projects that have their own organization on GitHub are advised to place the SECURITY.md file in the .github repository for the organization.

Reporting

Project security policy should explain how to confidentially report a security vulnerability.

Each project should support at least one security reporting channel. Common ways of accepting vulnerability reports are:

  1. Designated email address, e.g. security@example.com.
  2. Vulnerability disclosure program, e.g. hosted on platform such as HackerOne or similar.

Projects that have their own reporting channels are encouraged to continue using them and document it in the security policy.