Skip to content

SECURITY.md tells reporters to open a public issue, which discloses the vulnerability the policy is meant to keep private #264

Description

@edmoffo

.github/SECURITY.md:3 tells reporters of vulnerabilities to file a public issue:

Report vulnerabilities by opening an issue at https://github.com/zerocracy/swarm-template/issues/new.

That channel publishes the report — title, body, reproduction, and any proof of concept — to anyone watching the repository, the GitHub global advisories feed, and search-engine crawlers, the moment the issue is created. The security policy is the one document whose entire purpose is to hold a vulnerability private until a fix ships, so routing it through public issues defeats the policy. Every swarm generated from this template inherits the same file and the same routing, multiplying the exposure across every downstream repository.

Fix: replace the public-issue instruction with the repository's private vulnerability reporting channel. Enable "Privately report a security vulnerability" under repository Settings -> Code security, then point .github/SECURITY.md at https://github.com/zerocracy/swarm-template/security/advisories/new (and rely on {{ env.GITHUB_REPOSITORY }} substitution when the same file is committed into the template's outputs). A short fallback email address is acceptable when private reporting is not available.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions