Skip to content

Add spec about security policy#390

Open
juanis2112 wants to merge 3 commits intoscientific-python:mainfrom
juanis2112:spec-security-policy
Open

Add spec about security policy#390
juanis2112 wants to merge 3 commits intoscientific-python:mainfrom
juanis2112:spec-security-policy

Conversation

@juanis2112
Copy link
Member

@juanis2112 juanis2112 commented May 14, 2025

This PR introduces a new SPEC focused on Security Policy.

The SPEC outlines how projects can create and maintain a clear and accessible SECURITY.md file to guide users on how to report vulnerabilities responsibly and enable maintainers to respond effectively.

There have been ongoing conversations in the community, particularly at the Developer Summit 2024 and Developer Summit 2025 about improving how we handle vulnerability disclosure. A key part of that is making sure users know how to report issues properly and that starts with a clear security policy.

Due to the complexity of the broader disclosure process, we decided to split the work into two separate SPECs:

  1. Security Policy (this PR)

  2. Vulnerability Disclosure Process (coming soon in a PR by @mihaimaruseac )

A lot of the projects in the ecosystem already have a security policy but this SPEC will hopefully encourage more of them to adopt it.

Link to issue
Discourse post

mihaimaruseac added a commit to mihaimaruseac/specs that referenced this pull request May 14, 2025
@mihaimaruseac
Add SPEC 11 on vulnerability disclosure
757db36 
I used SPEC 11 name as that was selected from the last year, but I am happy to switch to a different number if needed.

This is to be paired with scientific-python#390 and currently a draft.
@mihaimaruseac mihaimaruseac mentioned this pull request May 14, 2025
Open
mihaimaruseac added a commit to mihaimaruseac/specs that referenced this pull request May 14, 2025
@mihaimaruseac
Add SPEC 11 on vulnerability disclosure
6857a78 
I used SPEC 11 name as that was selected from the last year, but I am happy to switch to a different number if needed.

This is to be paired with scientific-python#390 and currently a draft.

Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
mihaimaruseac added a commit to mihaimaruseac/specs that referenced this pull request May 14, 2025
@mihaimaruseac
Add SPEC 11 on vulnerability disclosure
7b9a2f9 
I used SPEC 11 name as that was selected from the last year, but I am happy to switch to a different number if needed.

This is to be paired with scientific-python#390 and currently a draft.

Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
mihaimaruseac added a commit to mihaimaruseac/specs that referenced this pull request May 14, 2025
@mihaimaruseac
Add SPEC 11 on vulnerability disclosure
0ce4a6e 
I used SPEC 11 name as that was selected from the last year, but I am happy to switch to a different number if needed.

This is to be paired with scientific-python#390 and currently a draft.

Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
mihaimaruseac added a commit to mihaimaruseac/specs that referenced this pull request May 14, 2025
@mihaimaruseac
Add SPEC 11 on vulnerability disclosure
9f29643 
I used SPEC 11 name as that was selected from the last year, but I am happy to switch to a different number if needed.

This is to be paired with scientific-python#390 and currently a draft.

Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
tupui
tupui approved these changes Jun 11, 2025
View reviewed changes
Copy link
Member

@tupui tupui left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like that SPEC, giving my +1. I don't really have suggestions as to improve the document. I like that it's succinct and refers to official documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tupui tupui tupui approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@juanis2112 @tupui