auto-detect .github/SECURITY.md for `vulnerability_report_process`
Opened this issue · 2 comments
raboof commented
if a repository-level or org-level (e.g. https://github.com/apache/.github/blob/main/.github/SECURITY.md) .github/SECURITY.md
is found that should be sufficient to auto-detect vulnerability_report_process
david-a-wheeler commented
I'd prefer to find a way to be a little more confident than simply "file present". Maybe we can detect an email address or a reference to the GitHub security reporting mechanism? I'm not sure what patterns to look for, any suggestions?
raboof commented
Hmm, I guess we could have a bunch of regexes, like indeed links to the GitHub security reporting mechanism and texts like "report(ing)? a vulnerability", "to report a (new)? vulnerability", and go from there?