Add a security policy (original) (raw)

Is your feature request related to a problem? Please describe.
Someone who's found a security vulnerability should be able to report it privately, allowing a patch to be released and giving users time to update before the vulnerability can be exploited.

Describe the solution you'd like
JsonCpp should have a security policy (usually titled SECURITY.md) letting anyone with a suspected vulnerability get in touch and work with maintainers out of the public eye. GitHub recommends that projects have such a policy.

The security policy can be found by users who enter the project's "Security" panel. A new issue "type" will be added to the "New issue" window pointing users to the policy if they've found a vulnerability.

Additional context
There are two main ways to receive disclosures:

• register an email or website available to receive such reports; and/or
• use GitHub's private vulnerability reporting

If you want to use GitHub's reporting system, it must be activated for the repository:

1. Open the repo's settings
2. Click on Code security & analysis
3. Click "Enable" for "Private vulnerability reporting"

I'll send a PR with a draft policy along with this issue. Another option would be to create a https://github.com/open-source-parsers/.github repository and adding the SECURITY.md there. This would make the policy available to all of the org's repositories.

Disclosure
My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.