polish the security policy#5526
Conversation
Revise SECURITY.md to clarify private reporting for exploitable issues and public discussion for theoretical findingsRewrite the security policy in SECURITY.md to state quic-go implements QUIC, direct exploitable vulnerability reports to private channels, discourage public issues for such cases, and allow public discussion for non-exploitable or experimental topics; retitle the non-security section and include feature requests with links preserved. 📍Where to StartStart with the rewritten sections in SECURITY.md, focusing on the vulnerability reporting guidance and the renamed non-security bug section. Macroscope summarized 6392649. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #5526 +/- ##
==========================================
+ Coverage 84.11% 84.16% +0.05%
==========================================
Files 159 159
Lines 16350 16350
==========================================
+ Hits 13752 13760 +8
+ Misses 1963 1957 -6
+ Partials 635 633 -2 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Pull request overview
This PR polishes the SECURITY.md file to make it more applicable to quic-go by improving clarity and removing generic language likely copied from go-libp2p's security policy.
- Rewrites the introduction to focus on quic-go as a QUIC protocol implementation rather than a project "in development"
- Clarifies when to report vulnerabilities privately vs. publicly with more concrete examples
- Updates the non-security bug section header and description for consistency
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
1d243ec to
0231229
Compare
I believe the current policy was mostly copy-pasted from go-libp2p's security policy. This PR polishes the policy and makes it more applicable to quic-go.