[Proposal] Prefer GitHub-based security vulnerability reporting workflow

[yurishkuro]

Our current policy (added in open-telemetry/.github#1) is to report security vulnerabilities to TC via encrypted email. GitHub now supports reporting vulnerabilities directly to maintainers of a specific repository (Example: https://github.com/open-telemetry/opentelemetry-cpp/security/advisories).

I propose to change our policy to prefer this new method of reporting over emails to TC, because it makes the handling of security issues more decentralized and goes directly to the respective repo maintainers, instead of being channeled through TC (which creates an unnecessary bottleneck). The encrypted email to TC workflow will remain as a fallback method.

[MadVikingGod]

I think this is a good idea. Some questions I have:

• Should the maintainers notify the TC that they have a reported vulnerability, if so what time frame?
• Is there a way to automate that reporting?
• How would we as an organization test that reports are being received, and acted upon?

[yurishkuro]

@MadVikingGod I think relying on automation would be ideal. There are GitHub APIs for accessing advisories and vulnerabilities (eg https://docs.github.com/en/graphql/reference/objects#securityadvisory). I don't know if just the reports can be accessible, since until an advisory is published it's hidden from the public.