Missing security policy prevents a responsible disclosure in case a security vulnerability is discovered

[quapka]

Is your feature request related to a problem? Please describe.
There is no security policy set up for this project. Also, searching for security in the documentation yields 0 results.

Describe the solution you'd like
A security policy is set up, e.g. using GitHub Security Advisory. Also when creating a new issue there should be an option to report a security vulnerability that links to the policy.

Describe alternatives you've considered
One can look for/guess e-mails of trusted maintainers, but that is far from a good practice.

Additional context
None.

[quapka]

Hi folks, is there a problem in adding a security policy?

[tyranron]

@quapka thanks for bringing this up! Sorry for late reply, this is because all the maintainers have low bandwidth to dedicate to this project.

We'll add the security policy closer to releasing 0.16 version.

[quapka]

I see, @tyranron. When is the release expected or is there a secure communication channel in the meantime? Adding a security policy should not actually take much time. 🙂

[tyranron]

@quapka I guess for the moment, you may reach me or @LegNeato privately by the email address, specified in commits.

[LegNeato]

I am personally a big fan of immediate public disclosure / radical transparency (I used to manage security updates for macOS and Firefox FWIW) but we haven't had a discussion between the maintainers about what we should do for juniper yet.

[quapka]

(I used to manage security updates for macOS and Firefox FWIW)

@LegNeato that is a resume worth mentioning IMHO.

It is the maintainers/code-owners decision how such issues should be handled. Simply coming as an outsider to a project it is nice to have the disclosure policy clear & explicit (say in README.md and in SECURITY.md ~ security policy, GitHub specific). Otherwise, it seems like it might not have been thought of, and filing an issue with security vulnerability might come as a surprise.

[sno2]

Hello, who should I contact for security vulnerabilities with this organization? I tried messaging the owner of the crate, but he is currently serving in the Ukraine army and I want to make sure I contact the correct people.

[LegNeato]

#1011 (comment)