Adding a security policy to your repository
To give people instructions for reporting security vulnerabilities in your project, you can add a SECURITY.mdfile to your repository's root, docs, or .githubfolder. Adding this file to this part(s) of your repository automatically creates a row with a description where people can review it. When someone creates an issue in your repository, they will see a link to your project's security policy.
You can create a default security policy for your organization or personal account. For more information, see Creating a default community health file.
Tip
To help people find your security policy, you can link to your SECURITY.mdfile from other places in your repository, such as your READMEfile. For more information, see About READMEs.
After someone reports a security vulnerability in your project, you can use GitHub Security Advisories to disclose, fix, and publish information about the vulnerability. For more information about the process of reporting and disclosing vulnerabilities in GitHub, see About coordinated disclosure of security vulnerabilities. For more information about repository security advisories, see About repository security advisories.
You can also join GitHub Security Lab to browse security-related topics and contribute to security tools and projects.
For an example of a real SECURITY.mdfile, see https://github.com/electron/electron/blob/main/SECURITY.md.
- On GitHub, navigate to the main page of the repository.
-
- In the left sidebar, under "Reporting", click Policy.
- Click Start setup.
- In the new SECURITY.mdfile, add information about supported versions of your project and how to report a vulnerability.
- Click Commit changes...
- In the "Commit message" field, type a short, meaningful commit message that describes the change you made to the file. You can attribute the commit to more than one author in the commit message. For more information, see Creating a commit with multiple authors.
-
-
- Click Commit changes or Propose changes.
