We are doing some work at the summit on security best practices and vulnerability disclosure came up. So we’ll add it as SPEC 11. Here’s the scope for the spec:
- Securicy policy (What should include and template)
- Prominently document how to report vulnerabilities
- Contact information
- Enable private vulnerability reporting via API (GitHub Security Advisories for GitHub, Confidential Issues for GitLab)
- What to do when you get a vulnerability report?
- Use resources like the Guide to coordinated vulnerability disclosure.
- Explicitly disclose security issues affecting vendored dependencies.
- acknowledge
- request cve
- share cve
- release (add cve number in the release notes)
This is the draft: SPEC-11 - HackMD
This is the issue: Vulnerability Disclosure · Issue #322 · scientific-python/specs · GitHub