Adding a Security Policy is important to provide guidance on how users can report potential vulnerabilities and communicate when vulnerabilities will be confirmed, fixed and disclosed to the public.
I recently recommended #803 and, like that change, this one also considered a good-practice and recommended by Github and Scorecard.
If you agree, I can open a PR to suggest a Security Policy! We can then work together to communicate how the repo can best handle vulnerability reports.
Additional Context
Hi again! I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)
Adding a Security Policy is important to provide guidance on how users can report potential vulnerabilities and communicate when vulnerabilities will be confirmed, fixed and disclosed to the public.
I recently recommended #803 and, like that change, this one also considered a good-practice and recommended by Github and Scorecard.
If you agree, I can open a PR to suggest a Security Policy! We can then work together to communicate how the repo can best handle vulnerability reports.
Additional Context
Hi again! I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)