diff --git a/docs/checks.md b/docs/checks.md index b53d7b33292..0aba6fb09ca 100644 --- a/docs/checks.md +++ b/docs/checks.md @@ -517,7 +517,7 @@ information about a bug is not publicly visible. **Remediation steps** - Place a security policy file `SECURITY.md` in the root directory of your repository. This makes it easily discoverable by a vulnerability reporter. -- The file should contain information on what constitutes a vulnerability and a way to report it securely (e.g. issue tracker with private issue support, encrypted email with a published public key). +- The file should contain information on what constitutes a vulnerability and a way to report it securely, e.g., an issue tracker with private issue support, encrypted email with a published public key. Follow the [coordinated vulnerability disclosure guidelines](https://github.com/ossf/oss-vulnerability-guide/blob/main/guide.md) to respond to vulnerability disclosures. - For GitHub, see more information [here](https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository). ## Signed-Releases diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml index ef5fe50e4bd..2d2847c46c6 100644 --- a/docs/checks/internal/checks.yaml +++ b/docs/checks/internal/checks.yaml @@ -551,7 +551,9 @@ checks: - >- The file should contain information on what constitutes a vulnerability and a way to report it securely (e.g. issue tracker with private issue - support, encrypted email with a published public key). + support, encrypted email with a published public key). Follow the + [coordinated vulnerability disclosure guidelines](https://github.com/ossf/oss-vulnerability-guide/blob/main/guide.md) + to respond to vulnerability disclosures. - >- For GitHub, see more information [here](https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository).