Security Policy

[naveensrinivasan]

give instructions for how to report a security vulnerability in your project by adding a security policy to the repository

https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository

[ariard]

Yes, we know that, we'll get one soon.

[TheBlueMatt]

In general, I think we should have security issues reported via email, with PGP keys posted, though of course up to senders if they use that. I can set up a listserv to relay mails to various people for this, presumably some set of active contributors? Would generally prefer if the emails not simply go unencrypted to gmail inboxes or similar providers, though.