title | intro | redirect_from | versions | type | topics | shortTitle | |||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Adding a security policy to your repository |
You can give instructions for how to report a security vulnerability in your project by adding a security policy to your repository. |
|
|
how_to |
|
Add a security policy |
To give people instructions for reporting security vulnerabilities in your project, you can add a SECURITY.md
file to your repository's root, docs
, or .github
folder. Adding this file to this part(s) of your repository automatically creates a row with a description where people can review it. When someone creates an issue in your repository, they will see a link to your project's security policy.
You can create a default security policy for your organization or personal account. For more information, see "AUTOTITLE."
{% tip %}
Tip: To help people find your security policy, you can link to your SECURITY.md
file from other places in your repository, such as your README
file. For more information, see "AUTOTITLE."
{% endtip %}
{% ifversion fpt or ghec %} After someone reports a security vulnerability in your project, you can use {% data variables.product.prodname_security_advisories %} to disclose, fix, and publish information about the vulnerability. For more information about the process of reporting and disclosing vulnerabilities in {% data variables.product.prodname_dotcom %}, see "AUTOTITLE." For more information about repository security advisories, see "AUTOTITLE."
{% data reusables.repositories.github-security-lab %} {% endif %} {% ifversion ghes %}
By making security reporting instructions clearly available, you make it easy for your users to report any security vulnerabilities they find in your repository using your preferred communication channel. {% endif %}
For an example of a real SECURITY.md
file, see https://github.com/electron/electron/blob/main/SECURITY.md.
{% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %}
- In the left sidebar, under "Reporting", click {% octicon "law" aria-hidden="true" %} Policy.
- Click Start setup.
- In the new
SECURITY.md
file, add information about supported versions of your project and how to report a vulnerability. {% data reusables.files.write_commit_message %} {% data reusables.files.choose-commit-email %} {% data reusables.files.choose_commit_branch %} {% data reusables.files.propose_file_change %}