On Tue, 24 Sep 2024 13:28:47 GMT, George Adams <gd...@openjdk.org> wrote:
> Currently the [security tab](https://github.com/openjdk/jdk/security) on the > GitHub repos is empty with no clear information or links on where to report > security vulnerabilities. > > <img width="1278" alt="Screenshot 2024-09-24 at 14 28 37" > src="https://github.com/user-attachments/assets/4fd68f9f-46d8-4c06-ad71-52747c8f5cf2";> > > I've made an exact copy of https://openjdk.org/groups/vulnerability/report > which hasn't changed since 2019 so is unlikely to require regular updating to > stay in sync. The other option is that we simply provide a link in the > security file to this policy on the website? I'm happy with either approach. This kind of change needs to be reviewed by the vulnerability group. I have notified the appropriate people internally. This PR should not be integrated until you get a clear go ahead from them. My personal opinion is that one should always try to avoid duplicating/forking documentation, so if we are to create a security.md file to populate the security tab in GitHub, then it should only contain a link to the official documentation on openjdk.org. You also need to keep in mind that this file would be unique for every update release repository, so any change would need to be backported everywhere. That makes maintaining this kind of information in the project source repository quite impractical. ------------- PR Comment: https://git.openjdk.org/jdk/pull/21155#issuecomment-2371776187
