As a cryptography library, it is essential to provide a secure channel for reporting potential security concerns. Implementing a formal security policy ensures that any future findings can be disclosed, discussed, and resolved privately before being made public, protecting both the project and its users.
Suggest Plan:
- Add a SECURITY.md file: Define the process for reporting potential security issues.
- Enable Private Vulnerability Reporting: Turn on this feature in Settings to allow researchers to submit reports confidentially via GitHub (Ref: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository).
- Security Advisories: This will allow the project to coordinate security fixes and issue CVEs if necessary.
As a cryptography library, it is essential to provide a secure channel for reporting potential security concerns. Implementing a formal security policy ensures that any future findings can be disclosed, discussed, and resolved privately before being made public, protecting both the project and its users.
Suggest Plan: