docs: update security policy with private vulnerability reports info (#…

…3168) This PR updates the security policy to encourage users to file security vulnerability reports through https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability The private vulnerability reports will show up here: https://github.com/libp2p/rust-libp2p/security/advisories?state=triage The maintainers will receive GitHub notification about new private vulnerability reports.
libp2p · Dec 12, 2022 · 63ffc7f · 63ffc7f
1 parent 2c8a41c
commit 63ffc7f
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 5 deletions.
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -5,7 +5,7 @@ about: Create a bug report for rust-libp2p.
 
 <!-- Thank you for filing a bug report! -->
 
-<!-- For security related issues please reach out to security@libp2p.io. Please do not file a public issue on GitHub. -->
+<!-- For security related issues please file a private security vulnerability report at https://github.com/libp2p/rust-libp2p/security/advisories/new or reach out to security@libp2p.io. Please do not file a public issue on GitHub. -->
 
 ## Summary
 

diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,8 +1,11 @@
 blank_issues_enabled: true
 contact_links:
+  - name: Report a vulnerability
+    url: https://github.com/libp2p/rust-libp2p/security/advisories/new
+    about: For security related issues please file a private security vulnerability report.
   - name: Question
     url:  https://github.com/libp2p/rust-libp2p/discussions/new?category=q-a
     about: Please ask questions in the rust-libp2p GitHub Discussions forum.
   - name: Libp2p Discourse Forum
     url:  https://discuss.libp2p.io
-    about: Discussions and questions related to multiple libp2p implementations.
+    about: Discussions and questions related to multiple libp2p implementations.
diff --git a/README.md b/README.md
@@ -14,8 +14,10 @@ This repository is the central place for Rust development of the [libp2p](https:
 - The **[examples](examples)** folder contains small binaries showcasing the
   many protocols in this repository.
 
-- For **security related issues** please reach out to security@libp2p.io. Please
-  do not file a public issue on GitHub.
+- For **security related issues** please [file a private security vulnerability
+  report](https://github.com/libp2p/rust-libp2p/security/advisories/new)
+  or reach out to [security@libp2p.io](mailto:security@libp2p.io). Please do not
+  file a public issue on GitHub.
 
 - To **report bugs, suggest improvements or request new features** please open a
   GitHub issue on this repository.

diff --git a/SECURITY.md b/SECURITY.md
@@ -6,4 +6,6 @@ By default we provide security patches for the latest released version only. On
 
 ## Reporting a Vulnerability
 
-Please reach out to security@libp2p.io. Please do not file a public issue on GitHub.
+Please do not file a public issue on GitHub. Instead, please [file a private security vulnerability report](https://github.com/libp2p/rust-libp2p/security/advisories/new).
+
+If you need further assistance, please reach out to [security@libp2p.io](mailto:security@libp2p.io).