One of the reasons to have this file in the xz repository was to
show vulnerability reporting info in the Security section on GitHub.
On 2024-11-25, I added SECURITY.md to the tukaani-project organization
on GitHub:
https://github.com/tukaani-project/.github/blob/main/SECURITY.md
GitHub shows that file in all projects in the organization unless
overridden by a project-specific SECURITY.md. Thus, removing
the file from the xz repo makes GitHub show the organization-wide
text instead.
Maintaining a single copy for the whole GitHub organization makes
things simpler. It's also nicer to have fewer GitHub-specific files
in the xz repo. Information how to report bugs (including security
issues) is available in README and on the home page too.
The OpenSSF Scorecard tool didn't find .github/SECURITY.md from the
xz repository. There was a suggestion to move the file to the top-level
directory where Scorecard should find it. However, Scorecard does find
the organization-wide SECURITY.md. Thus, the file isn't needed in the
xz repository to score points in the Scorecard game:
https://scorecard.dev/viewer/?uri=github.com/tukaani-project/xz
Closes: https://github.com/tukaani-project/xz/issues/148
Closes: https://github.com/tukaani-project/xz/pull/149
+++ /dev/null
-# Security Policy
-
-If you discover a security vulnerability in this project, please
-report it privately. **Do not disclose it as a public issue.**
-
-You may submit a report via email to
-[Lasse Collin](mailto:lasse.collin@tukaani.org)
-(OpenPGP key fingerprint: 3690 C240 CE51 B467 0D30 AD1C 38EE 757D 6918 4620),
-or through
-[Security Advisories](https://github.com/tukaani-project/xz/security/advisories/new).
-
-This project is maintained by volunteers on a reasonable-effort basis.
-Please give 30 days to work on a fix before public exposure,
-reducing the chance that an exploit will be used before a patch is released.
projects / thirdparty / xz.git / commitdiff
