About security policies
To give people instructions for reporting security vulnerabilities in your project, you can add a SECURITY.md file to your repository's root, or docs folder. When someone creates an issue in your repository, they will see a link to your project's security policy.
Tip: To help people find your security policy, you can link to your SECURITY.md file from other places in your repository, such as your README file. For more information, see "About READMEs."
By making security reporting instructions clearly available, you make it easy for your users to report any security vulnerabilities they find in your repository using your preferred communication channel.
For an example of a real SECURITY.md file, see https://github.com/electron/electron/blob/main/SECURITY.md.
Adding a security policy to your repository
-
On your enterprise, navigate to the main page of the repository.
-
Under the repository name, click Security. If you cannot see the "Security" tab, select the dropdown menu, and then click Security.
-
In the left sidebar, under "Reporting", click Policy.
-
Click Start setup.
-
In the new
SECURITY.mdfile, add information about supported versions of your project and how to report a vulnerability. -
In the "Commit message" field, type a short, meaningful commit message that describes the change you made to the file. You can attribute the commit to more than one author in the commit message. For more information, see "Creating a commit with multiple authors."
-
Below the commit message fields, decide whether to add your commit to the current branch or to a new branch. If your current branch is the default branch, you should choose to create a new branch for your commit and then create a pull request. For more information, see "Creating a pull request."
-
Click Commit changes or Propose changes.
