Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Minor updates to the "if you're using GitHub" section #52

Merged
merged 1 commit into from
Dec 18, 2023
Merged

Minor updates to the "if you're using GitHub" section #52

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions maintainer-guide.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,11 +126,11 @@ The vulnerability reporter is doing you a favor; don't add more steps than absol

##### If you are using GitHub

If your project is on GitHub, we recommend [enabling privately reporting a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability), even though that feature is currently only in beta. This is an easy-to-use mechanism, and ease of use is key.
If your project is on GitHub, we recommend [enabling privately reporting a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability). This is an easy-to-use mechanism, and ease of use is key.

We recommend that you also follow the directions for [another service](#if-you-are-using-another-service). In particular, include email address(es) people can use for reporting instead of the GitHub private reporting mechanism.

You may choose to use GitHub Security Advisory without enabling private reporting, but if you don't enable private reporting, only selected users can report vulnerabilities.
You may choose to use GitHub Security Advisories for disclosure without enabling private reporting, but if you don't explicitly enable private reporting, users will be unable to report to you privately on GitHub.

If you choose to use GitHub Security Advisory for private patch development, here's how we recommend supplementing it.
Your Security Policy should instruct reporters to email the VMT with a vulnerability report ([see `SECURITY.md` templates](https://github.com/ossf/oss-vulnerability-guide/tree/main/templates/security_policies)). The VMT will then open a Security Advisory and add the reporter as a collaborator ([see GitHub documentation on GitHub Security Advisory](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-github-security-advisories)). It is also appropriate to email that alias for questions about the vulnerability disclosure process.
Expand Down