Skip to content

Update SECURITY.md#5671

Open
jkmarz wants to merge 1 commit intoossf:mainfrom
jkmarz:patch-2
Open

Update SECURITY.md#5671
jkmarz wants to merge 1 commit intoossf:mainfrom
jkmarz:patch-2

Conversation

@jkmarz
Copy link
Copy Markdown

@jkmarz jkmarz commented Mar 30, 2026

update security contact info

@jkmarz
Update SECURITY.md
f896e52 
update security contact info

Signed-off-by: Jessica Marz <jessica.marz@intel.com>
@ffontaine
Copy link
Copy Markdown
Collaborator

ffontaine commented Apr 1, 2026

Thank you for this PR. I believe that #5671 and #5672 could be combined into a single PR. Additionally, I couldn't find any information on OpenSSF regarding responsible disclosure—perhaps @terriko could assist with this.

@alex-ter
Copy link
Copy Markdown
Collaborator

alex-ter commented Apr 6, 2026

@ffontaine, I've explored this a bit and looks like there's a generic org-level policy (similar thing on the OSSF About page), which suggests using the GH private vulnerability reporting functionality, with security@openssf.org email as a fallback.

Looking at the repos unded the ossf org, WG ones just repeat that one and SW projects do slightly different things, depending on the project, but still similar to that general policy. The Scorecard, for example has a bit more elaborate one, though still within that framework.

I guess we could simply adopt either of those, a simpler one, or the Scorecard's more elaborate one, though I'm not sure we'd be able to commit to things like 3-day reaction time they have there. So if I had to choose, I'd go with the generic one. What do you think? @terriko, @anthonyharrison, please feel free to chime in.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jkmarz @ffontaine @alex-ter