Add a Security Policy
postmodern opened this issue · 1 comments
postmodern commented
Add a SECURITY.md file explaining how to report vulnerabilities in bundler-audit.
- Which email address should they be sent to? (rubysec's mailing list or my email addres?)
- Which PGP key, if any, should be used to encrypt emails? (I can volunteer my PGP pubkey)
/cc @reedloden
reedloden commented
I'm a bit biased here due to it being my employer (and the fact that I manage this particular offering), but HackerOne offers a completely free version for open source projects. Might I suggest that as an alternative to email and PGP? Ruby, Rails, and RubyGems all use it already, just as examples.