Profile Applicability:
Level 1
Description:
Every public repository must include a SECURITY.md file that outlines the project's security policies, vulnerability reporting guidelines, and responsible disclosure processes. This file provides clear instructions to users and security researchers on how to report security issues, thereby improving transparency and responsiveness to potential vulnerabilities.
Rationale:
Including a SECURITY.md file fosters effective communication regarding security concerns and encourages responsible vulnerability disclosure. It enhances trust within the user community and demonstrates a commitment to maintaining the security posture of the project.
Impact:
Pros:
Improves security awareness and communication.
Encourages responsible reporting of vulnerabilities.
Builds user and contributor confidence.
Cons:
Requires maintenance to keep security policies current.
May necessitate dedicated resources to handle security reports.
Default value:
Many public repositories do not have a SECURITY.md file by default, which can lead to unclear reporting channels for security issues.
Audit:
Verify that all public repositories contain a SECURITY.md file located in the root directory. Review the file to ensure it clearly defines security policies and reporting procedures.
Remediation:
Create and maintain a SECURITY.md file in the root of each public repository using standard templates, such as those recommended by GitHub. Customize the file to specify the project’s security contact information, vulnerability reporting process, and any relevant security policies. Ensure the file remains up to date and accessible.
References:
GitHub Documentation – About Security Policies: https://docs.github.com/en/code-security/security-policy-framework/about-security-policies
OWASP – Responsible Disclosure Guidelines: https://owasp.org/www-community/Responsible_Disclosure
CIS Controls v8, Control 16 – Application Software Security: https://www.cisecurity.org/controls/application-software-security/