Added security policy #3070
Added security policy #3070
Conversation
|
As we privately discussed, we will not acknowledge CVEs of low-severity ReDoS vulnerabilities and treat them as bugs instead. I added a section about the specifics to the security policy. |
|
@LeaVerou You own the domain prismjs.com, right? How difficult would it be to set up an email address security@prismjs.com that forwards all emails to us all? |
|
Easy I think. I can look into it and get back to you! |
|
That would be great. Thank you! |
|
Since the email seems to be holding this up, I changed the wording to essentially say "just contact a maintainer." That's pretty much what people are doing right now, and it seems to work. If we want to have a dedicated email for this in the future, we still can. Of course, "contact a maintainer" has the slight problem that we don't have a list of maintainers yet, so I made PR for that (#3410). |
There was a problem hiding this comment.
I have some nits about using newlines for each sentence -- IMHO it makes maintaining long-form markdown a bit easier since you can review each sentence as a "line of code", while paragraphs can still be separated w/ 2 lines :)
Content makes sense to me; I like the mix of disclosure strategies.
Good point. I can never remember whether GitHub's renderer for MD documents preserves newlines or not. (No, it doesn't. I looked it up.) |
|
Alright, with #3410 being merged, I updated |
After #2642 and #3069, I added a security policy. It's not much, but it's a decent start, I think.
This is only a draft. We still need to decide on how people should actually contact us.
Ideally, we would an email that forwards to all of us, so we can all respond.
@LeaVerou @mAAdhaTTah @Golmote
This resolves #2642.