From 2426a0c4b27313e1fa8161c31c7f7dbe1ca17b08 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Fri, 20 Oct 2023 15:58:27 -0700 Subject: [PATCH] [security] add prose explaining OpenSSF CII Best Practices badge results Fixes https://github.com/openjs-foundation/security-collab-space/issues/35. --- .github/SECURITY.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 82e4285adc..3ba6266f2c 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -1,3 +1,23 @@ # Security Please email [@ljharb](https://github.com/ljharb) or see https://tidelift.com/security if you have a potential security vulnerability to report. + +## OpenSSF CII Best Practices + +[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/684/badge)](https://bestpractices.coreinfrastructure.org/projects/684) + +There are three “tiers”: passing, silver, and gold. + +### Passing +We meet 100% of the “passing” criteria. + +### Silver +We meet 95% of the “silver” criteria. The gaps are as follows: + - we do not have a DCO or a CLA process for contributions. + - because we only have one maintainer, the project has no way to continue if that maintainer stops being active. + - we do not currently document “what the user can and cannot expect in terms of security” for our project. This is planned to be completed in 2023. + +### Gold +We meet 65% of the “gold” criteria. The gaps are as follows: + - we do not yet have the “silver” badge; see all the gaps above. + - We do not include a copyright or license statement in each source file. Efforts are underway to change this archaic practice into a suggestion instead of a hard requirement.