Security policy

[orpheuslummis]

Consider the inclusion and maintenance of a security policy.

Examples:

• https://github.com/ethereum/go-ethereum/blob/master/SECURITY.md
• https://github.com/tendermint/tendermint/blob/master/SECURITY.md
• https://github.com/influxdata/influxdb/blob/master/SECURITY.md

[orpheuslummis]

• https://github.com/google/oss-vulnerability-guide/blob/main/guide.md
• https://www.matrix.org/security-disclosure-policy/

[orpheuslummis]

Use https://github.com/sourcenetwork/defradb/security/ by way of having 1) having a SECURITY.md and 2) a process of reporting security advisories there.

Detail supported versions.

Source will provide email support for the disclosure of vulnerabilities.

• Providing a public key GPG/PGP to encrypt the message is recommended.
• [email protected]
• Manage keys with hardware keys, TBD

Reports audits, perhaps in /docs in the repo, and in the SECURITY.md.

Consider operating a bug bounty program.

Document our process, including disclosure process.

[orpheuslummis]

I suggest this issue requires discussion from @addobot and @jsimnz .

[orpheuslummis]

https://docs.github.com/en/code-security/getting-started/github-security-features

[orpheuslummis]

Specifying a threat model

[orpheuslummis]

https://go.dev/security/policy

[orpheuslummis]

#1194