-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create a Security Policy #1511
Comments
There's $100/month on Tidelift for JNA, https://tidelift.com/lifter/search/maven/net.java.dev.jna:jna, with TideLift and we could enable enterprise support using them. I can set it up, and we'd have to figure out how to distribute the $. I've had good success in other projects. Maybe @matthiasblaesing, @twall and others are interested? Here's a security policy I use for other lifted projects: https://github.com/slack-ruby/slack-ruby-client/blob/master/SECURITY.md |
Right now I'm not interested in contracted work on JNA. |
Right. Neither am I. Tidelift takes care of being the one with a contract for security patching work. It just happens to offer some money, which we can distribute via GitHub sponsors for example. Care to take a look at say what you think about it? |
I have set up my JNA-based project on Tidelift. It's not that much work to set up (making sure you have a security policy stated which you can copy and paste pointing to them), point to where release notes are, and list the currently supported branch(es). It does somewhat create the expectation of "support" in terms of fixing bugs, but I think we already do our best to do that anyway. |
These are the folks with maintain/write permissions: Would you be ok adding TideLift to this project? Appreciate a yes/no from some majority, and as before I think @twall can veto/decide if we have a tie. I can do all the work to set it up, collect the $100/mo via my LLC, pay taxes, and redistribute it via GH sponsors if anyone wants some and has it setup. I think any organization that wants to pay open-source contributors, however little it is, is a good thing. So my vote is a yes. |
I’m fine with it!
|
Hi @twall @matthiasblaesing @lgoldstein @bhamail @krosenvold @toddfast any thoughts about this? We can either configure Tidelift or use Github Security Advisory to receive vulnerability reports. Let me know what you rather do. Thanks! |
A Security Policy is a GitHub standard document (
SECURITY.md
) that can be seen in the “Security Tab” to instruct users about how to report vulnerability in the safest and most efficient way possible.It is a Scorecard Recommendation (being one check of medium priority) and a Github Recommendation.
Together with this issue I’ll submit one suggestion of Security Policy, feel free to edit it directly or ask me for editions until it is in compliance with how JNA would best handle with vulnerabilities reports.
The text was updated successfully, but these errors were encountered: