Security Policy should be highlighted as a first-class document like LICENSE, INSTALL, CONTRIBUTING, Changes etc. #3246
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Security policies are important documents, and the policy file named something like
SECURITYorsecurity.txtorSECURITY-POLICY.mdshould be highlighted when users view a release.At the moment, it does not show the policy at all and the user needs to browse the release files to see it.
Note that a guide to including a security policy with distributions has been added to the CPAN Security Group (CPANSec) page at https://security.metacpan.org/docs/guides/security-policy-for-authors.html and GitHub also recommends adding a security policy to repositories now.
The rationale is to let users know how to report a security issue with the software, what will be supported, and what response they can expect.
Common names for it (case-insensitive) would match
m/security(\.(txt|md|pod))?/ine.g.Note: as of 6 January there were at least 63 distributions with
SECURITY.MDand this is starting to get traction, e.g. on Reddit here and there,The text was updated successfully, but these errors were encountered: