Replies: 2 comments 2 replies
-
|
Actually i don't think tidelift offer this service any more after sonarsource acquired them and offer this advanced security instead ? |
Beta Was this translation helpful? Give feedback.
-
|
Yeah, I don’t think we need this for now. If anything, the capacity of maintainers of this project is minimal. If there are any real security issues it would probably be better to have them reported like a regular issue so disclosure is not limited to whenever one of us has time for it. Since this is a tool about formatting your code it in the worst case scenario users can just temporarily disable it to avoid any security implications with minimal effect on the final code they are writing or shipping. |
Beta Was this translation helpful? Give feedback.
-
|
So perhaps an condensed version could be like security.md like. I assume the tidelift link will not work ? Report issues via GitHub issues for open transparency. Include: Vulnerability description Limited resources mean delayed responses; no formal disclosure timeline. |
Beta Was this translation helpful? Give feedback.
-
|
That feels like unnecessarily bureaucracy to me. If you think there is a security issue, just open an issue and we can triage it from there :) |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
You have tidelift as option so it would be good to have security.md file as e.g described in
https://github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy
or
https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository
Beta Was this translation helpful? Give feedback.
All reactions