Conversation
There was a problem hiding this comment.
Pull request overview
Adds a repository security policy document to guide responsible vulnerability disclosure and point reporters to the appropriate safe-harbor policy.
Changes:
- Introduces
SECURITY.mdwith instructions for reporting security issues via coordinated disclosure. - Documents the information reporters should include to help triage.
- Links to GitHub’s Safe Harbor Policy.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| GitHub takes the security of our software products and services seriously, including all of the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub). | ||
|
|
||
| Even though [open source repositories are outside of the scope of our bug bounty program](https://bounty.github.com/index.html#scope) and therefore not eligible for bounty rewards, we will ensure that your finding gets passed along to the appropriate maintainers for remediation. |
There was a problem hiding this comment.
Line ends with trailing whitespace after the period. Please remove the trailing space to avoid formatting/lint noise and accidental Markdown line-break behavior in some renderers.
|
|
||
| **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** | ||
|
|
||
| Instead, please send an email to opensource-security[@]github.com. |
There was a problem hiding this comment.
The contact email is obfuscated as opensource-security[@]github.com, which is not clickable and increases reporting friction. Consider using a standard email (or mailto: link), or explicitly instruct reporters to replace [@] with @ so the address is unambiguous.
| Instead, please send an email to opensource-security[@]github.com. | |
| Instead, please send an email to [opensource-security@github.com](mailto:opensource-security@github.com). |
No description provided.