From c2bd6d6368f783400d2c89a83ca171ceaa12ac26 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Fri, 12 Jan 2024 19:46:29 -0800 Subject: [PATCH] Create a security policy (#1091) We really should provide guidance on how to open a security issue on Bandit itself. Tidelift also requires a security policy document that they can refer to and help coordinate for their customers. --- SECURITY.md | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..a627e5f8e --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,9 @@ +# Security Policy + +Bandit is a tool designed to find security issues, so every effort is made that Bandit itself is also +free of those issues. However, if you believe you have found a security vulnerability in this repository +please open it privately via the [Report a security vulnerability](https://github.com/PyCQA/bandit/security/advisories/new) link in the Issues tab. + +**Please do not report security vulnerabilities through public issues, discussions, or pull requests.** + +Please also inform the [Tidelift security](https://tidelift.com/security). Tidelift will help coordinate the fix and disclosure.