https://pantsbuild.org/ logo
#development
Title
# development
h

hundreds-father-404

10/29/2022, 5:45 PM
Hey I'm going through Linux Foundation class on secure software development. They recommend OSS projects have a top-level
SECURITY.md
file for how people should report vulnerabilities. Thoughts on formalizing our process?
👍 3
The only precedent I see is https://github.com/pantsbuild/pants/issues/11933, where we direct a user to email pantsbuild@gmail.com We could simply formalize that. Or, create a dedicated e.g. Google group that mirrors our Code of Conduct. That is, multiple people can be in the group
b

bitter-ability-32190

10/30/2022, 6:56 PM
Without how much people reach out on slack for literally everything else. Seems to me if someone did want to report something they'd just ask here where to report it
b

busy-vase-39202

10/31/2022, 4:33 PM
Someone shouldn't need to create a slack account just to report a security issue though.
☝️ 1
2 Views