-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a SECURITY.md #20
Conversation
Codecov ReportPatch and project coverage have no change.
Additional details and impacted files@@ Coverage Diff @@
## main #20 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 1 1
Lines 10 10
=========================================
Hits 10 10 ☔ View full report in Codecov by Sentry. |
Personally I'm a bit opposed to worrying about security. I know this is not the "right way", but I feel like it's often not a necessity for the sort of stuff we're building (cf pybids and nilearn do not have a SECURITY.md). And maintaining a responsible security policy seems hard. My 2c would be to not put this in the template, but add it to projects that require it. |
@gkiar tie breaker on these opposing reviews? :) |
It'd only not be a necessity if there's no vulnerabilities, which means there's no work to do anyway :). Security should always be a concern; it takes but a single significant data leak that makes it into the media to drag CMI's reputation into the gutter. |
Afaict, the policy is just:
I see no harm in including that in templates? As @clane9 rightly points out: most of the time this is irrelevant for what we do, and, as @ReinderVosDeWael says, when it is relevant, it's important and we want to cover our bases. |
This PR adds a security policy which informs users on how to inform us of security vulnerabilities in our applications. For an example usage, see the side bar of https://github.com/cmi-dair/cross-species-mapper/ .
Instructions have been added to the README.md to either modify SECURITY.md, or delete it if it's not relevant.