A discoverable vulnerability-reporting policy, or coordinated disclosure plan, helps ensure that you will be notified of vulnerability reports for your package before they are made public. This reduces the risk that users will be exploited by a publicly disclosed vulnerability before the fix is issued and applied, so we need you to let us know how security reports will be handled for your package.
There are two elements of this:
- By agreeing to lift your package, you agree that you'll follow responsible disclosure practices.
- If someone reports a vulnerability to you, actually use a responsible disclosure process.
If your package already has a security policy or you'd like to handle it on your own, just point us to the URL for the policy. If you'd prefer, you can use the Tidelift security policy and we'll help coordinate the fix and disclosure. We'll walk you through this task when you start lifting a package.
If you're creating your own process, these packages with mature, detailed security policies are a good example to see how other packages handle security bugs: