From fe9e66993fdbcc2981c7361b9b034a451eb0fc42 Mon Sep 17 00:00:00 2001 From: Lasse Collin Date: Sat, 30 Nov 2024 12:05:59 +0200 Subject: [PATCH] Docs: Remove .github/SECURITY.md One of the reasons to have this file in the xz repository was to show vulnerability reporting info in the Security section on GitHub. On 2024-11-25, I added SECURITY.md to the tukaani-project organization on GitHub: https://github.com/tukaani-project/.github/blob/main/SECURITY.md GitHub shows that file in all projects in the organization unless overridden by a project-specific SECURITY.md. Thus, removing the file from the xz repo makes GitHub show the organization-wide text instead. Maintaining a single copy for the whole GitHub organization makes things simpler. It's also nicer to have fewer GitHub-specific files in the xz repo. Information how to report bugs (including security issues) is available in README and on the home page too. The OpenSSF Scorecard tool didn't find .github/SECURITY.md from the xz repository. There was a suggestion to move the file to the top-level directory where Scorecard should find it. However, Scorecard does find the organization-wide SECURITY.md. Thus, the file isn't needed in the xz repository to score points in the Scorecard game: https://scorecard.dev/viewer/?uri=github.com/tukaani-project/xz Closes: https://github.com/tukaani-project/xz/issues/148 Closes: https://github.com/tukaani-project/xz/pull/149 --- .github/SECURITY.md | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 .github/SECURITY.md diff --git a/.github/SECURITY.md b/.github/SECURITY.md deleted file mode 100644 index 01ac4896e..000000000 --- a/.github/SECURITY.md +++ /dev/null @@ -1,14 +0,0 @@ -# Security Policy - -If you discover a security vulnerability in this project, please -report it privately. **Do not disclose it as a public issue.** - -You may submit a report via email to -[Lasse Collin](mailto:lasse.collin@tukaani.org) -(OpenPGP key fingerprint: 3690 C240 CE51 B467 0D30 AD1C 38EE 757D 6918 4620), -or through -[Security Advisories](https://github.com/tukaani-project/xz/security/advisories/new). - -This project is maintained by volunteers on a reasonable-effort basis. -Please give 30 days to work on a fix before public exposure, -reducing the chance that an exploit will be used before a patch is released.