Please create a security policy detailing contacting information, as this helps security researchers privately report issues.
The most important step in the process is providing a way for security researchers to contact your organization. The easier it is for them to do so, the more likely it is that you'll receive security reports.
β OWASP Cheatsheet Series on Vulnerability Disclosure
Locations this could be located include but are not limited to:
- SECURITY.md at the root of the GitHub repository. This has the added benefit of showing up on the "Security" GitHub tab.
/.well-known/security.txton the website. See securitytxt.org.- Page on the frontend, linked to in the footer or similar.
The most common methods of communication for open-source software are E-Mail and GitHub private vulnerability reporting. The only mention of security reporting I found, was hidden in a small bubble on the login form. You have to go digging to find this, which is a bit annoying.
How does funding with Polar work?
Pay now to fund the work behind this issue.
Get updates on progress being made.
Maintainer is rewarded once the issue is completed.
Backer
You're funding impactful open source efforts
Contributor
You want to contribute to this effort
Maintainer
You want to get funding like this too