Security Policy

ID

openssf_scorecard/security_policy

Severity

low

Category

Levels

Optional

false

Tags

policy, security, supply-chain

Description

Does the project contain a security policy?

This check tries to determine if the project has published a security policy.

Reference: OpenSSF Scorecard - Security Policy.

Rationale

At some point in the life of any software project, someone (a user, a contributor, or a security researcher) will find a vulnerability that affects the safety and usefulness of the software.

A security policy (typically a SECURITY.md file) can give users information about what constitutes a vulnerability and how to report one securely so that information about a bug is not publicly visible.

Such security policy should document at least:

  • How to contact the project team about a potential security vulnerability.

  • Whether the vulnerability report can be kept private until such time the project decides to share more broadly, after patches are made available.

  • The reporter’s expectations on communication/collaboration around the issue.

  • Kinds of security issues and their corresponding fix / disclosure strategies.

Lack of a publicised security policy may lead to insecure reporting of vulnerabilities, lower trust on project security, public disclosure of vulnerabilities without previous contact with the project team or, as the worst case, vulnerabilities that were discovered but not reported due to lack of security policy, and were later exploited by bad actors.

Verification

This check works by looking for a file named SECURITY.md (case-insensitive) in a few well-known directories.

Remediation

  • Place a security policy file (recommended name: SECURITY.md) in the root directory of your repository. This makes it easily discoverable by a vulnerability reporter.

  • The file should contain information on what constitutes a vulnerability and a way to report it securely (e.g. issue tracker with private issue support, encrypted email with a published public key). You may follow the OpenSSF coordinated vulnerability disclosure guidelines or a similar process to respond to vulnerability disclosures.

  • For GitHub, see more information here.