Tidelift users are risk averse, so knowing your packages comply with the Tidelift security requirements gives them added confidence when they are choosing packages and when responding to new vulnerabilities that may arise in the future.
More on security can be found here:
- Tell us about vulnerabilities
- Create a discoverable security policy
- Create a security maintenance plan
Detecting policies on GitHub repositories
We take advantage of GitHub's community health repository and SECURITY.md file to autodetect if you want to use Tidelift's process, or if you've set up a process already for another package and want to reuse that.
To automatically use Tidelift's plan, add
https://tidelift.com/securityto one of the three files we check (community repo's
SECURITY.md, or repo's
README) and, once we detect it, we'll send you an email with what we detected and a link back to the task to tweak it if needed.
If you've set up a custom policy URL with another package in the same GitHub organization and want to reuse that URL, place that policy URL into one of the security files in the other repository and, once detected, we'll send you an email. Remember, you'll have to have set up at least one other package's coordinated disclosure plan manually for this to work.
Agree to be responsive to security issues
You are expected to be responsive around security issues and work to resolve them. Not all reported issues are severe (or even real), but it's important to assess each one and respond.
We aren't imposing a firm time limit or deadline, because we feel it wouldn't be viable for smaller projects, at least not without more support from Tidelift. However, please put security issues at the front of your priority queue.