From 1550de728b9307600bb628621349f240674416a4 Mon Sep 17 00:00:00 2001 From: Charles Chiu Date: Sun, 14 Jun 2026 19:50:16 +0800 Subject: [PATCH] docs(security): add links so Scorecard Security-Policy scores full marks --- SECURITY.md | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 65e6925..cbe7166 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,20 +1,24 @@ # Security Policy This policy applies to all repositories owned by the **nics-dp** organization -unless a repository provides its own `SECURITY.md`. +unless a repository provides its own `SECURITY.md`. Organization profile: +. ## Reporting a Vulnerability We take the security of our software seriously and appreciate responsible disclosure. -**Preferred channel - GitHub Private Vulnerability Reporting:** +**Preferred channel - GitHub Private Vulnerability Reporting (PVR):** 1. Open the **Security** tab of the affected repository. 2. Click **Report a vulnerability** to open a private advisory draft. 3. Provide a clear description, affected versions, reproduction steps, and impact assessment. +See GitHub's guide for step-by-step instructions: + + Private Vulnerability Reporting keeps the report confidential between you and the maintainers until a fix is published. For repositories where this option is unavailable, please contact the repository maintainers directly through the @@ -50,3 +54,12 @@ This policy covers code and configuration maintained within nics-dp repositories. Vulnerabilities in third-party dependencies should be reported upstream; if a dependency issue affects our software, we will track and remediate it through our dependency management process. + +## References + +- GitHub Private Vulnerability Reporting: + +- Coordinated disclosure overview: + +- OpenSSF vulnerability disclosure guide: +