Add a security policy file
pnacht opened this issue · 4 comments
I've noticed that CONTRIBUTING.md points users to Facebook's bug-bounty program in case any security vulnerabilities are found in the project. Is that still the proper venue after PyTorch migrated to the Linux Foundation?
Regardless, having this information on a separate SECURITY.md file makes it much more visible for users. It'll be front and center for users who enter the project's "Security" panel, and they'll also see references to the policy in the "New issue" page.
If there's interest, I'd be happy to submit a PR with a draft policy (based on CONTRIBUTING.md or with any new information).
Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.
@malfet PTAL
PyTorch project have moved to Linux Foundation, but other projects haven't. Adding separate security.md sounds reasonable to me, and also enable security vulnerabilities reporting for the project.
@Maratyszcza would you help me review those. Though attack surface for cpuinfo is pretty small as there are no binary builds of cpuinfo published anywhere, to the best of my knowledge
Ah, was it only pytorch/pytorch that moved to the LF? I thought it was the entire org.
If so, would you like me to send a PR to set cpuinfo's security policy?
Alternatively, you could create a https://github.com/pytorch/.github repository. Adding the security policy there will make it available to all projects under the pytorch org. Any repos that need a different policy can add it to the repo and it will take precedence over the "default" policy.
Hey, just a quick bump here. Would there be interest in a PR with a draft security policy?
If yes, should it point to Facebook's bug-bounty program or has cpuinfo also moved to the Linux Foundation?
If not, feel free to close!